Group-level protected branch does not apply configuration to projects in the group

Summary

Protected branch configuration inherited from Group-level protected branches do not apply. The protected branch appears for the projects in the group, but the configuration is not applied.

If we add a Project-level protected branch with the same configuration as the Group-level protected branch, the configuration has the intended effect. It's as if the Group-level protected branch configuration is not used.

Customer has reported this behaviour, and was reproduced by GitLab Support in v16.4.1. This bug has also been confirmed by GitLab Support to impact v16.7.

Steps to reproduce

  1. Install v16.7 GitLab (I did with the official Docker image)
  2. Enable FF :group_protected_branches
  3. Create a group
  4. Create a group-level protected branch for main, with Developers + Maintainers and Instance Admins as Allowed to Merge, and No-one for Allowed to push and merge
  5. Create a project in the group
  6. As group and project owner, create a new branch from main
  7. Add changes to the new branch, create an MR
  8. Attempt to merge

Example Project

What is the current bug behavior?

Message appears Ready to merge by members who can write to the target branch, and the user's avatar appears with the tooltip Cannot merge

What is the expected correct behavior?

The user can merge based on the Group-level protected branch configuration

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Michael Trainor