[External Status Checks] Remove default status for API requests
Background
When External Status Checks were introduced, the only possible states were:
- Pending response.
- Received response, which indicated pass.
In other words, there was no way to indicate failure. This was done for the sake of simplicity/iteration. API clients, as well as the API itself, assume that every request from the client represents passed
.
A failure state was implemented later, under #329636 (closed). For the sake of backward compatibility with existing API clients, the status parameter had a default of passed
.
Problem to solve
For the External Status Checks API, a default status of passed
basically means, "when in doubt, assume the MR can proceed". From a compliance perspective, we should assume the opposite.
Proposal
For External Status Checks, the status
param should not have a default value. Requests without this param should receive a response of 400 Bad request. This is a breaking change, as discussed in a related issue, so must be made in a major release.