Apply fail-closed to any_merge_request rules (!132296) · Merge requests · GitLab.org / GitLab

Martin Čavoj requested to merge 418752-fail-closed-any-merge-request into master Sep 20, 2023

What does this MR do and why?

This MR extends fail-closed behavior to the new any_merge_request policy rules. If the rule cannot be enforced, action will be required and the rule will not be auto-approved.

The change in the behavior is done behind an existing feature flag scan_result_any_merge_request.

Screenshots or screen recordings

Before	After

How to set up and validate locally

In rails console enable scan_result_any_merge_request feature flag:
```
Feature.enable(:scan_result_any_merge_request)
```

Create a policy with any_merge_request type and a single user approver. Sample YAML:

type: scan_result_policy
name: Test
description: ''
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 20 # Replace with your user ID

Block this user
Create MR and verify the rule can't be approved.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #418752 (closed)

Edited Sep 20, 2023 by Martin Čavoj

Apply fail-closed to any_merge_request rules

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports