Protected Environment becomes invalid state when all of the Allowed-to-Deploy entries removed
Problem
Protected Environment becomes invalid state when all of the Allowed-to-Deploy entries removed. This happens when all of the assigned users/groups are gone from the project.
See #381877 (comment 1253516472) for more information.
Protected Environments consists of Allowed-to-Deploy list and Required-to-Approve list. An entry can contain one of User, Group or Role. Currently, when the associated User or Group has been removed from the project team member, it subsequently deletes corresponding entries. This is because of security reason therefore we need to delete altogether. FYI, this cascading deletion happens in Protected Branches/Tags as well.
The described issue isn't serious for Allowed-to-Deploy list because removing an entry means the user/group will lose a deployment access to the protected environment. Since the user/group doesn't have access to the project anyway, it's totally fine to remove the entry itself. The environment protection keeps working anyway. Probably, we should show
No One
in the list if all of entries are gone, so that it's clear for users that no one is allowed to deploy currently.The described issue is a bit serious for Required-to-Approve list because removing an entry means that the environment requires less approvals. From operator perspective, this is a bit surprising that they thought that someone or somegroup does a cross-verification to the deployment, but the process is silently gone. One of the idea is to automatically insert a new entry to the list that requires an approval without User/Group/Role specification i.e. The environment requires an approval but
No One
is able to do it. In the Setting UI, we can showPlease set a valid group, user or role to this entry. You can also delete this entry if approval is not necessary anymore.
or something. In other word, this entry works as "invalid configuration" flag that discussed above.Aside from that the proposed UX to show a warning modal in Project team page makes sense as well.
Proposal 1
- Remove
validates :deploy_access_levels, length: { minimum: 1 }
validation. It allows users to have an empty Deployment execution allow-list. - Show
No One
in the Allowed-to-Deploy dropdown that indicates that currently no-one can deploy. This gives a hint for deployers that they need to create a new entry to restore the workflow.
Proposal 2
- Insert a new entry with
role: Gitlab::Access::NO_ACCESS
if all of the entries are gone. This way, Protected Environment won't be invalid at least.