Skip to content

Synchronize scan result policy approval rules on default branch change

Dominic Bauer requested to merge 406587-rebuild-approval-rules-on-default-branch-change into master

What does this MR do and why?

We are adding branch_type support to security policies (&9468 (closed)).

We need to synchronize approval rules on default branch changes to honor the default value.

How to set up and validate locally

  • Create a new project

  • Enable the feature flag for the project:

    Feature.enable(:security_policies_branch_type, Project.last)

  • Navigate to Repository > Branches and create the develop branch

  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
name: Container Scanning
enabled: true
rules:
  - type: scan_finding
    branch_type: default
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 1

  • Open a new MR targeting the main branch

  • Verify that the MR requires Container Scanning approval

  • Open a new MR targeting the develop branch

  • Verify that the MR does not require approval

  • Navigate to Settings > Repository and in the Protected branches section, protect the develop branch

  • Navigate to Settings > Repository and in the Branch defaults section, change the default branch to develop

  • Verify that MR to develop requires approval and MR to main does not any more

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #406587 (closed)

Edited by Dominic Bauer

Merge request reports