Show 'Create Confidential Merge Request' button when issue is confidential and project is private
Problem to solve
There is no option to create a confidential merge request (or any merge request) on confidential issues in private projects. All other issues have a Create Merge Request
or a Create Confidential Merge Request
button. The lack of this button in this case is confusing to users as creation of a MR (or branch) from an issue is a standard part of GitLab workflow.
Intended users
Any users of GitLab who create merge requests from issues.
Further details
Starting with GitLab 12.1, confidential merge requests are offered for confidential issues in public projects. The dialog for this offers forking options and warns about leakage of confidential information. Such dialog does not appear for confidential issues in private projects.
From a user perspective, the difference between private and public projects is not readily apparent within the UI. For private projects, there is a small lock icon displayed next to the project name on the main project page. But the issue screen shows no indication whatsoever as to the visibility of the project. Thus, there can be confusion as to why there is sometimes no button offering to create a merge request.
This feature should operate similarly to the Create Confidential Merge Request
button in public projects and allow the resultant MR to appear in a different project that has a potentially a different set of users. In fact, the dialog box for public projects warns about this possibility in that the other project might be more open. In the case of private projects, the fact that the other project is more restrictive in its membership, is a powerful alternate use case.
Proposal
Ensure that every issue offers an appropriate button to create a merge request. This allows for a consistent workflow across projects regardless of their visibility.
Permissions and Security
There should be few permission issues here if we simply replicate the functionality and warnings associated with the existing Create Confidential Merge Request
button introduced in GitLab 12.1. The ability to fork elsewhere before creating such a merge request should be at least as restrictive as the project the repo is being forked from.
Documentation
Minor changes will be needed to this page documenting merge requests for confidential issues. Most likely this would be changing the word "public" to "public or private".
What does success look like, and how can we measure that?
Users will no longer be confused as to why there is not any sort of button offering the creation of a merge request from a confidential issue. We should receive support calls as a result.