Avoid scan policies sync action for all projects in a group when a protected branch is created/destroyed
Why are we doing this work
Everytime a protected branch is created or destroyed we call Security::SecurityOrchestrationPolicies::SyncScanResultPoliciesService
which inturn calls Security::ProcessScanResultPolicyWorker
for all projects that the policy project has been configured for. We don't need to call Security::ProcessScanResultPolicyWorker
for other projects for which the protected branch has no relation to. This issue focusses on fixing this behaviour to update only the protected branch's project.
This issue is a corrective action for the recent incident 2023-02-23: shard_urgent_cpu_bound SLI of the s... (gitlab-com/gl-infra/production#8454 - closed)
Relevant links
- Incident: 2023-02-23: shard_urgent_cpu_bound SLI of the s... (gitlab-com/gl-infra/production#8454 - closed)
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend Update Security::SecurityOrchestrationPolicies::SyncScanResultPoliciesService
to consider only the project (instead of all projects in the group) for which the protected branch was created/destroyed
Verification steps
-
Create a group and configure scan result policies for the group. Create multiple projects in the group and create MRs matching the scan result policies -
Create/destroy a protected branch in one of the projects and verify if the approval rules are not updated for other project within the group.
Edited by Alan (Maciej) Paruszewski