Skip to content

Approval rules using subgroups don't work after feature flag release

Summary

👋 It appears the rollout of [Feature flag] Rollout of `subgroups_approval_r... (#366741 - closed) (:subgroups_approval_rules) is impacting customers that utilise subgroups in merge request approval rules. Given this can break approval rules I've marked it as confidential until the group confirms it can be released as public information.

I've assigned @vyaklushin for review of this issue to confirm it is related to the feature.

Originally reported in this ticket, a customer has indicated approval rules aren't working correctly. From further examination it was found they extensively use subgroups in their approval rules.

We've taken steps to re-produce this in both SaaS and Self-managed, with the former being available to GitLab team members in this example project and this merge request. For Self-managed instances, you must use GitLab 15.2 and enable the feature flag with:

Feature.enable(:subgroups_approval_rules)

And create a new merge request to see the behaviour.

Self-Managed (without feature flag) - GIF Self-Managed (with feature flag) - GIF
working broken

Steps to reproduce

On GitLab.com (SaaS):

You will need to have a project and subgroup to use as a group for approval rules.

  1. Create a group that is linked to a Premium subscription. An easy example is a subgroup using gitlab-gold if you have access.
  2. Create a subgroup.
  3. Under the subgroup, create a project named 'Project'.
  4. Under the subgroup, create another subgroup, named 'code-approvers-group'.
  5. Under the 'code-approvers-group' group, create another subgroup named 'reviewers-one'

The structure should be similar to:

Project: Parent → subgroup → Project

Group: Parent → subgroup → code-approvers-group → reviewers-one

Next, create working and not working rules in the project under Settings > General > Merge Request Approvals

  1. Working Rule
  • Rule name: "Working Rule"
  • Target branch: main
  • Approvals required: 1
  • Add approvers: Parent/subgroup
  1. Not Working Rule
  • Rule name: "Not Working Rule"
  • Target branch: main
  • Approvals required: 1
  • Add approvers: Parent/subgroup/code-approvers-group/reviewers-one

Most GitLab team members can check the settings in the example project.

If using Self-Managed, enable the feature flag with Feature.enable(:subgroups_approval_rules), then follow the above steps.

Example Project

https://gitlab.com/gitlab-gold/benjaminking/broken-approvals

What is the current bug behavior?

Approval rules referencing the subgroup are not applied, with the rule marked as "complete", and not showing group members:

image

Additionally, the label for the approvals shows 2 approvals are required for the working rule:

image

Workaround

The current workaround appears to be to set Prevent editing approval rules in merge requests, which stops this from happening during MR creation.

What is the expected correct behavior?

The approval rule referencing the subgroup should be applied, to ensure there is a level of oversight on approvals for merging code.

Relevant logs and/or screenshots

Provided above where applicable 😄

Edited by Ben King