Skip to content

Discussion for #374602 Situation 2 and Situation 3 Security policy first

Background

We received user feedback that they recommend security policy be checked first to save time.

  1. When are multiple reasons why an MR is blocked, do we want to display security policy together with other reasons?
  2. When are multiple rules, do we recommend doing security policy first?

To summarise, there are two things.

  1. What is the best order of the merge checks by default? Is the current order of highlight security related high enough?
  2. Among all approval rules, What is the best order to display all approval rules

How it currently works

Original comment thread

Just as an example, a MR could be blocked for the following reasons at the same time:

  • Conflicts
  • Threads not resolved
  • Approval not given
  • Marked as draft
  • Pipeline not finished

In this scenario, the first important aspect for the user is that they still have the MR in "draft" mode. Until they intentionally change that to "ready", none of the other aspects are important, so we only show that message.

After that is solved, let's have a look at some of the remaining aspects: As one example, to solve the code conflict, the user would have to push new code, which would trigger a new pipeline, so it would not be logical to push users to wait for the pipeline to succeed when we know that there will also be a code conflict. Instead we can just show the user the "code conflict" message, and only after that is solved and that has triggered the new pipeline, we show the user that they should wait for the pipeline to finish.

detail information related 2. multiple rules involved

Feedback from user: for example, when there are frontend reviews and security reviews, preferably to do the security review first, because if the frontend review is finished and then after the security review, frontend code is changed again, the frontend review will happen again

Next steps

Do qualitative research to answer the following questions:

  1. Is the current default merge check ordering good enough? Can we come up with a better one? Can it change depending on the situation?
  2. Do the Security policy need to be part of the "approval rule" merge check?

If the answer for No. 2 if YES, then 2.1; if No. 2, if NO, then 2.2

  • 2.1 Display one line text "All approvals need to be given" (current) or list out all approval rules with a default order
  • 2.2 Security policy will be a standalone merge check; in this case, back to question 1, what is the best order to display merge checks when security policy is enabled
Edited by 🤖 GitLab Bot 🤖