Bug: MR Approval Policy Still Applies After Unlinking Compliance Framework

Summary

When a project is unlinked from a compliance framework that scopes a Merge Request approval policy, the policy continues to apply in the MR UI, even though it is no longer shown in the compliance policies list for the project.

Steps to Reproduce

1. Create or identify a compliance framework (e.g., ID: 2021349).
2. Define a Merge Request approval policy scoped to that compliance framework:

policy_scope:
  compliance_frameworks:
    - id: 123

3. Link a project to this compliance framework.
4. Confirm that the policy appears in the Compliance Policies tab and is enforced on MRs in the linked project.
5. Now navigate to: Project Settings → Security & Compliance → Compliance Center → Project Tab
6. Edit the project and deselect/unlink the compliance framework.
7. Navigate to: Project → Security & Compliance → Policies

You will observe that no compliance policies are listed anymore.

However, the MR still shows the approval rules from the now unlinked MR approval policy.

Expected Behavior

Once a project is unlinked from a compliance framework:

• The scoped policy should no longer apply.
• No approval rules from that policy should be visible or enforced in MRs.

Actual Behavior

Even after unlinking the project from the framework:

• The MR approval rules persist in the MR UI.
• This creates a false policy enforcement, potentially confusing users and blocking merges unnecessarily.

Proposed Fix:

Ensure that unlinking a compliance framework from a project fully removes associated policy application, including MR approval rules. Trigger a background refresh or cache invalidation when frameworks are removed from a project.