Skip to content

Allow updates of protected branch with block_unprotecting_branches

Martin Čavoj requested to merge 430718-be-allow-for-some-modifications-to-protected-branches into master

What does this MR do and why?

This MR reverts some of the restrictions introduced in Let scan result policies prevent changes to pro... (!130653 - merged), as they went too far. We should only prevent users from unprotecting the branches and not prevent them from changing other settings, such as Allowed to push, Allowed to merge, Code owner approval, Allowed to force push.

Screenshots or screen recordings

Before After
CleanShot_2023-11-08_at_19.04.13 CleanShot_2023-11-08_at_19.02.38

Trying to circumvent disabled button will still correctly prevent me from unprotecting the branch by raising 403:

CleanShot_2023-11-08_at_19.07.39

How to set up and validate locally

  1. Upload a GitLab Ultimate license
  2. Enable the feature flag
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
  1. Go to Project/Settings/Repository/Protected Branches /settings/repository#js-protected-branches-settings
  2. Protect couple of branches, you should be able to unprotect them
  3. Go to Secure => Policies => New policy => Scan Result Policy
  4. Create the policy in rule mode to match the below yaml or go to yaml mode and use the below policy
   type: scan_result_policy
   name: Container Scanning
   description: ''
   enabled: true
   actions:
   - type: require_approval
     approvals_required: 1
     user_approvers_ids:
     - 1
   rules:
   - type: scan_finding
     scanners:
     - container_scanning
     vulnerabilities_allowed: 0
     severity_levels: []
     vulnerability_states: []
     branch_type: protected
     branch_exceptions:
     - foobar # (actual protected branches name you want to exclude)
   approval_settings:
     block_unprotecting_branches: true
  1. Go back to settings, the unprotect button should be disabled
  2. Change other settings for the branch
  3. Expect that they should be changeable

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #430718 (closed)

Edited by Martin Čavoj

Merge request reports