Skip to content

[Spike] Create backend MVC for MR Approval Policies Warn Mode

This issue is about figuring out how to implement backend support for a "Warn Mode" that allows security teams to test policies without disrupting development workflows. This mode should generate bot comments for detected violations and create optional approval rules without blocking MRs.

Implementation Details

1. Policy Evaluation Logic

  • Extend the policy evaluation service to handle warn mode differently:
    • Create a method to determine if a policy is in warn mode (approvals_required: 0 + bot message enabled)
    • Modify evaluation logic to create optional approval rules instead of required ones when in warn mode

2. MR Approval Rules Handling

  • Update the approval rule creation logic to handle warn mode:
    • Create approval rules with approvals_required: 0
    • Add specified approvers as optional approvers
    • Ensure the rule is properly displayed in the MR UI

3. Bot Comment Implementation

  • Enhance bot comments to clearly indicate when a policy is in warn mode:
    • Include a clear header indicating this is a warning
    • List all detected violations
    • Add a note that the policy is in warn mode and will not block merging

4. Audit Events

  • Create audit events when policy violations are detected:
    • Record MR author, approvers, and policy violation details
    • Include information about dismissals if applicable