Extend GraphQL approval rules with indication of invalid rules
What does this MR do and why?
This MR extends ApprovalRuleType
GraphQL type, adding two fields:
invalid
allow_merge_when_invalid
It changes the behavior of security policy approvals only. In case the rules become invalid, the approvals will fail closed, instead of failing open.
Screenshots or screen recordings
How to set up and validate locally
- Create a new security policy with secret detection and require approval from one user
- Configure with merge request & Merge
- Open an MR which adds a leaked secret, thus violating the policy
- Block the user used in the security policy
- Use GraphiQL to query the new fields.
invalid
should betrue
,approved
should betrue
andallowMergeWhenInvalid
should betrue
for the secret detection rule.{ project(fullPath: "<project-path>") { id mergeRequest(iid: "<MR-iid>") { id approvalState { invalidApproversRules { id } rules { id type approved approvalsRequired name section invalid allowMergeWhenInvalid } } } } }
- Enable the new feature flag:
Feature.enable(:invalid_scan_result_policy_prevents_merge)
-
invalid
should betrue
,approved
should befalse
andallowMergeWhenInvalid
should befalse
for the secret detection rule
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #389905 (closed)
Edited by Martin Čavoj