Skip to content

Security policy bypass_settings ignored for service accounts when evaluating approval rules

Summary

Security policy bypass settings for service accounts work correctly for direct API pushes to protected branches, but do not appear to be considered in open merge requests. When a service account configured in bypass_settings.service_accounts creates a merge request, the MR widget incorrectly shows "Approval required" despite the bypass configuration exempting the service account from the Merge Request Approval Policy. Issue raised in ticket:

Where Renovate for automated dependency updates cannot proceed with updates as its automated merge requests created by bypassed bot service account is prevented by MRAP.

Steps to reproduce

  1. Create a security policy with merge request approval requirements preventing any pushes to protected branches
  2. Configure bypass_settings.service_accounts with a service account ID in the policy
  3. Using the service account's personal access token:
    • Make a direct API push to a protected branch → Works: Push bypasses security policy
    • Create a merge request → Fails: MR shows "Approval required" despite bypass configuration

Example Project

This occurs on any project with:

  • Security policy containing merge request approval rules
  • bypass_settings.service_accounts configured with valid service account IDs

What is the current bug behavior?

  1. Service account creates merge request
  2. MR widget displays "Approval required"
  3. Security policy approval rules are applied normally
  4. No bypass audit events are generated (security_policy_service_account_mr_bypass)
  5. Manual approval is required to merge, despite bypass configuration

What is the expected correct behavior?

  1. Service account creates merge request
  2. MR approval policy restriction should be bypassed
  3. No "Approval required" should appear in MR widget
  4. Audit events should be generated documenting the bypass when MR is merged
  5. MR should be mergeable without manual approval

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

GitLab 18.3.2-ee (self-managed)

Possible fixes

Edited by Danny Bailey