Approval Rules - Fail Secure
Proposal
Ambiguity in regards to whether a MR has been a... (#334698 - closed) introduced a definition of Invalid Rules, which states:
Whenever an approval rule cannot be satisfied, the rule will be displayed as Invalid. This applies to the following conditions:
- The only eligible approver is the author of the merge request.
- No eligible approvers (either groups or users) have been assigned to the approval rule.
These rules will be automatically approved to unblock their respective merge requests.
This is essentially providing a fail-safe mechanism for merge requests.
In practice this means it is possible for unauthorised changes to be merged. For example, we automate the removal of users from our GitLab namespace after a period of in-activity which can cause this to happen. The correct behaviour should be the service owner ensures the CODEOWNERS
is updated however until this is done the risk remains.
We would like to propose a configuration option that allows for a fail-secure approach if the applicable CODEOWNERS
defines a default catch-all group *
.