Merge request approval policy doesn't consider the custom role user as eligible for approval
Summary
A merge request approval policy that specifies a custom role as an approver does not consider users with that custom role as eligible approvers.
Steps to reproduce
- In a group, define a custom role in the group level
- In a project, grant a user the custom role defined in 1
- In a project, define a merge request approval policy as shown in the "Relevant logs and/or screenshots" section.
- Open a merge request that requires approval according to policy 1 above (in this example, MRs containing vulnerabilities)
- Confirm that users with custom roles are not considered eligible approvers.
Example Project
As discussed in #542536 (comment 2663083935), I have granted an Owner role on these projects for @mc_rocha and @g.hickman.
- Test project: https://gitlab.com/kkamiya_gl_ultimate_group/645488-replication
- Security policy project: https://gitlab.com/kkamiya_gl_ultimate_group/645488-replication-security-policy-project
What is the current bug behavior?
The user who has custom role are not considered as eligible approver.
What is the expected correct behavior?
The user who has custom role are considered as eligible approver.
Relevant logs and/or screenshots
- Custom role
- Project member
- Merge request approval policy
- MR
Output of checks
This bug happens on GitLab.com
Possible fixes
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.