Skip to content

Prevent update of default branch if block_unprotecting_branches is set

Sashi Kumar Kumaresan requested to merge sk/430718-block-default-branch-change into master

What does this MR do and why?

This MR prevents updating the default branch of a project if block_unprotecting_branches setting is set in Scan Result Policies. The feature is still behind a feature flag: scan_result_policies_block_unprotecting_branches

Addresses #430304 (closed)

Screenshots or screen recordings

Screenshot_2023-11-07_at_4.33.46_PM

How to set up and validate locally

  1. Enable the feature flag
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
  1. Go to Project -> Settings -> Repository -> Branch defaults -> Make main the default branch
  2. Go to Project -> Code -> Branches -> Create a new branch
  3. Go to Secure -> Policies -> New policy -> Scan Result Policy
  4. Go to yaml mode
  5. Use this policy:
type: scan_result_policy
name: Require approval for vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - maintainer
      - developer
approval_settings:
  block_unprotecting_branches: true
  1. Save the policy
  2. Go the Project -> Settings -> Repository -> Branch defaults
  3. Update the default branch and verify the error message

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports