Skip to content

[BE] Support custom roles in merge request approval policies

Why are we doing this work

As we introduce new custom roles, merge request approval policies could provide more granular support for defining these roles within an action. For example - when a security finding is detected, require approval from 2 users with custom security team role.

As a part of this issue we want to support custom_role_approvers_ids field in the approval_policy

type: approval_policy
actions:
  - type: require_approval
approvals_required: 1
role_approvers:
  - maintainer
  - 123

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

Verification steps

  • Create a custom role at the admin level (e.g. Admin => Settings => Roles and permissions) with Approve merge request permission
  • Enable the custom role feature flag echo "Feature.enable(:security_policy_custom_roles)" | rails c
  • Create a group and create MR approval policy with the custom role as approver:
type: approval_policy
name: Custom role approver
description: ''
enabled: true
policy_scope:
  projects:
    excluding: []
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - 1
  - type: send_bot_message
    enabled: true
approval_settings:
  block_branch_modification: true
  block_group_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: false
fallback_behavior:
  fail: closed
  • Add a user to the custom role from Manage -> Members
  • Create a project with the group and create an MR by updating the README
  • Verify that the user is added as approver
Edited by Sashi Kumar Kumaresan