Merge Request approval policy approval_settings block applies to all branches regardless of rules: branch_type: protected
Summary:
The approval_settings: section of a merge request approval policy currently overrides the project-level settings for all merge requests in the project — even those targeting unprotected branches — regardless of the rules: section specifying branch_type: protected.
This behaviour contradicts the expected scoping based on the rules: section and differs from the behavior of the actions: block, which only applies when the specified rule conditions are met.
Steps to reproduce:
-
Create a new MR approval policy at the project or group level.
-
In the policy YAML:
- Define
rules:with branch_type: protected. - Include
approval_settings:to override project-level approval rules.
- Define
-
Create a merge request targeting an unprotected branch.
-
Observe the MR approval settings in the UI.
Expected Behavior:
approval_settings: should only apply when the conditions in rules: are satisfied. In this case, the rules restrict scope to branch_type: protected, so approval settings should not be overridden for MRs targeting unprotected branches.
Actual Behavior:
approval_settings: is applied to all merge requests, including those targeting unprotected branches. This causes enforcement of approval restrictions (e.g., "Prevent approval by commit author") outside the intended scope.
UI Discrepancy:
The UI currently states:
This clearly implies that only MRs targeting protected branches are affected, which is inconsistent with actual behavior.
Impact:
- Project-level approval policies are unintentionally enforced on unprotected branches.
- Causes confusion for users relying on branch_type: protected scoping.
- Potential misconfiguration of approval workflows.
Suggested Fix:
Ensure that approval_settings: are applied only when the rules: block is satisfied — consistent with how actions: behave.