Protected‑branch tooltip links to invalid URL when “Prevent group branch modification” Merge Approval Policy is enabled

Summary

When a Merge Approval Policy with Prevent group branch modification is active, the “Unprotect” action for a protected branch is disabled. Hovering the disabled button shows a tooltip with a security policies link that should open the group’s Security Policies page. Instead, the generated URL uses the protected branch’s ID in place of the group ID, leading to a 404.

Steps to reproduce

1. In a group, create or edit a Merge Approval Policy and enable Prevent group branch modification.
2. In that group, open Settings > Repository > Protected branches.
3. Locate a branch covered by the policy and hover over the disabled Unprotect button.
4. Click the security policies link in the tooltip.

What is the current bug behavior?

The security policies link points to https://gitlab.com/groups/<PROTECTED_BRANCH_ID>/-/security/policies. Clicking it returns 404 – Page Not Found.

What is the expected correct behavior?

The link should point to the group’s Security Policies page, https://gitlab.com/groups/<GROUP_ID>/-/security/policies, so users can review or modify the policy that enforces branch protection.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com