Should authors of pull requests have the ability to change the required approvers per-pull request?

To begin with, let me explain when I am implementing, a project called Bulwark.

It will listen to GitLab web hooks to keep merge request approvers and approvals_required up to date, based off of the diff between the merge request and the target branch.

The diff will utilize GitHub's CODEOWNERS file method of determining who needs to approve a merge request.

It is mandatory that each merge request must have approval from all the users defined in CODEOWNERS that relate to the changes requested.

I have all this done, for the most part. I am in the phase where I am trying to battle test it and make sure it is fool proof and cannot be tampered/circumvented, but I think I ran into a snag.

Try this scenario:

  • I have a repository with only one admin, referred to as Admin1.
  • Another user, referred to as User1, has no commit access to this public repository.
  • Admin1 configures the required number of approvals to 1 for the repository. It also also allows each individual merge request to change approvers and approvals_required.
  • User1 forks the repository to make some changes.
  • User1 makes a merge request.

This is where things get tricky.

Since the repository has a allowed merge requests to change the approvers, User1 can assign anybody as that approver, even if it doesn't match the CODEOWNERS file.

Now, my webhooks will eventually get the merge request in sync, regardless of what approvers and approvals_required was provided by User1, but what if my webhooks has a delay in processing? There would be a small window where a merge request could be ready for merge, even though the required approvers approved the merge request.

It is great that you can override the approvers stuff per merge-request, but should a guest user (User1) with no special permissions to the public project, be able to change this information? I'd understand giving them permission to change title and description, but approvers?

I could get around this by adding another safe-gaurd in the actual merge process. I can configure the repository to only allow a special bot user to accept merge requests, and this bot will analyze the approvers to make sure they match CODEOWNERS before merging, but I don't think this should be necessary.

Can someone explain to me the thought process behind letting a guest change the approver-related settings in a merge request?