Skip to content

Apply any_merge_request policies in scope of target branch

Martin Čavoj requested to merge 418752-evaluate-branches-without-approval-rules into master

What does this MR do and why?

This MR is a follow-up of !134642 (merged) and applies also policies without approval rules (i.e. without approvers) correctly to the target branch.

In order to do this, I had to fetch the policies using Gitaly, because we don't have the branches / branch_type information stored in the database yet. This is planned with #416260 (closed).

I tried to limit the scope by involving Gitaly only when we have policies without approvers.

How to set up and validate locally

  1. Enable the feature flag 
    Feature.enable(:scan_result_any_merge_request)
  2. Go to Code -> Branches and create a new branch
  3. Go to Secure -> Policies and create a policy. Example YAML: 
    type: scan_result_policy
name: Settings override
description: ''
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
approval_settings:
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: true
  4. Create MR (for example from Web IDE), but change the target branch to the new branch created before
  5. The policy shouldn't be enforced (it should be possible to approve) and there shouldn't be any scan_result_policy_violations record in the database for this merge request
  6. Change the branch of existing MR to a protected one
  7. The policy should become enforced (not possible to approve by author), there should be a new record in scan_result_policy_violations table and an approval should be required
  8. (optional) Change the policy to target default branch_type and wait until the MRs are synced (there's delay of 1 minute for the worker). It should only save violations when targeting the default branch and not any other protected branches
  9. (optional) Change the policy to target specific protected branch and wait until the MRs are synced (there's delay of 1 minute for the worker). It should only save violations when targeting one of the branches listed in the policy.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports