Skip to content

Sync any_merge_request rules regardless of pipelines

Martin Čavoj requested to merge 418752-any-mr-remove-approvals-no-scanners into master

What does this MR do and why?

This MR makes change to the logic which removes required approvals for any_merge_request rules.

Currently, the required approvals are removed for policy-compliant MRs only if there is a CI configuration and security scans are included in the pipeline (e.g. template: Jobs/Secret-Detection.gitlab-ci.yml).

Because any_merge_request rule approvals only depend on whether the commits are unsigned or signed, this change will make it so that the approvals are removed immediately after a change in MR regardless of the pipeline setup.

The changes in this MR are done behind a feature flag scan_result_any_merge_request that is disabled by default.

Screenshots or screen recordings

Before After
CleanShot_2023-10-12_at_12.15.50 CleanShot_2023-10-12_at_12.26.22

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:scan_result_any_merge_request)
  2. Create a policy targeting unsigned commits. Go to Policies -> New scan result policy -> .yaml mode. Example YAML: 
    type: scan_result_policy
name: Unsigned
description: ''
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 4
      - 1
approval_settings:
  block_protected_branch_modification: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: true
  3. Set up signed commits
  4. Create MR with a signed commit
  5. Verify the approvals for the policy rule are not required
  6. Add an unsigned commit (for example via WebIDE)
  7. Verify the approvals are required
  8. Force push so that only the signed commits are in the MR again
  9. Verify the approvals are optional again

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports