Merge Request can be added to the train without approval using /merge quick action
Summary
Merge request approval can be easily bypassed just by using /merge command in the comments
Steps to reproduce
Hi! We have noticed a following issue. We created a project with an obligatory MR approve by a lead
We use merge trains because this is the only way to prevent restarting deployment pipelines
When we create MR it looks like that:
Merge button is not available
But.. if I just go to comments and type /merge it just starts MR pipeline!
Example Project
I could not create with a personal project because is not possible to create such a workflow with just 1 user
What is the current bug behavior?
It starts merge train pipeline without approve. Moreover it ignores also the check "Prevent approvals by users who add commits". IN this case even if it's my commit - I can trigger deployment without approval.
What is the expected correct behavior?
This command /merge should be wisely revised. We do need in specific cases. For example if MR train pipeline fails and we want to run it again, this is a bit too complicated to create a new MR and ask for approval. Instead we can just allow the user to retry failed MR pipeline in the same way as we do with /merge command but directly from UI.