Spike: Prepare Architectural Blueprint for MR Approval Policy Exceptions/Bypass

Objective

Prepare a comprehensive architectural blueprint for implementing the Exceptions/Bypass feature in Merge Request Approval Policies as described in Epic &14090. This spike will serve as the foundation for our implementation plan.

Deliverables

  1. Data Structure Design

    • Database schema for policy waivers and related entities
    • Entity relationship diagrams
    • Required migrations

  2. API Design

    • RESTful endpoints for managing policy waivers
    • GraphQL schema updates (if applicable)
    • Permission model

  3. Backend Architecture

    • Service classes and their responsibilities
    • Integration points with existing MR approval flow
    • Integration with Gitaly for push operations

  4. Frontend Components

    • High-level component interactions (list of APIs that should be used for each mockup provided in the Epic)

  5. Flow Diagrams

    • User flows for configuring waivers
    • User flows for using waivers in different scenarios
    • System sequence diagrams

  6. Implementation Plan

    • Phased approach with milestones
    • Dependencies and prerequisites
    • Testing strategy

Key Use Cases to Address

  • Service Account & Bot User Exceptions for automation workflows
  • Protected Branch Push Exceptions for GitFlow and other workflows
  • Emergency Override with proper audit trails
  • Designated User Override based on roles, groups, or custom roles
  • Source branch pattern exceptions

Considerations

  • Security implications and potential vulnerabilities
  • Audit and compliance requirements
  • Performance impact
  • User experience for both administrators and developers
  • Integration with existing GitLab features

Timeline

  • Complete this spike within 1-2 weeks
  • Present findings to the team for review and feedback
  • Use the blueprint to create implementation issues for the feature

Resources

  • Epic &14090 contains detailed requirements and customer use cases
  • Existing MR approval policy implementation
  • Customer feedback and competitive research in the epic

Please document any questions, assumptions, or technical challenges encountered during the spike.

Edited by Alan (Maciej) Paruszewski