Prevent delete protected branches via security policies
What does this MR do and why?
This prevents the deletion of a protected branch on the project level when a security policy enables the block_unprotecting_branches setting as described in #420728 (closed)
Note: This MR only addresses the backend changes. I suggested hiding the Delete protected branch button here to avoid confusion.
How to set up and validate locally
- Enable the feature flag
Feature.enable(:scan_result_policies_block_unprotecting_branches) - Create a project
- Create a scan result policy via Secure -> Policies -> New policy
- Switch to .yaml mode and paste the following yaml:
type: scan_result_policy name: Container Scanning description: '' enabled: true rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 approval_settings: block_unprotecting_branches: true - Select Configure with a merge request and merge the MR
- Create a new branch on the project
- Make the branch protected via Settings -> Repository -> Protected branches
- Go to Code -> Branches and try to delete the protected branch
- This should fail with an error message saying: "Deleting protected branches is blocked by security policies"
Screenshots
| Screenshot |
|---|
 |
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #420728 (closed)
Edited by Andy Schoenen