Prevent policy bot message on non-applicable branches

What does this MR do and why?

This MR removes policy bot message when there are no scan_finding or license_scanning rules applicable to the current branch.

Merge request approval policies are applied only to protected branches and if there's MR targeting a non-protected branch, we don't want the policy bot comment to be created, because the approvals will be filtered here and displayed as Optional.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

1. Create a new project
2. Create CI configuration

   include:
     - template: Security/Secret-Detection.gitlab-ci.yml
     - template: Jobs/Dependency-Scanning.gitlab-ci.yml
   
   build-job:
     script:
       - echo "Compiling the code..."
       - echo "Compile complete."

3. Go to Secure -> Policies and create a new policy. Example:

   type: approval_policy
   name: Sec & Lic
   description: ''
   enabled: true
   rules:
     - type: scan_finding
       scanners: []
       vulnerabilities_allowed: 0
       severity_levels: []
       vulnerability_states: []
       branch_type: protected
     - type: license_finding
       match_on_inclusion: true
       license_types:
         - MIT License
       license_states:
         - newly_detected
       branch_type: protected
   actions:
     - type: require_approval
       approvals_required: 1
       role_approvers:
         - developer

4. Go to Code -> Branches and create a new unprotected branch from the main branch
5. Create MR which adds violation and choose unprotected as the target branch. Example:

   diff --git a/.env b/.env
   new file mode 100644
   index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
   --- /dev/null
   +++ b/.env
   @@ -0,0 +1 @@
   +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
   \ No newline at end of file
   diff --git a/requirements.txt b/requirements.txt
   new file mode 100644
   index 0000000000000000000000000000000000000000..e5041aff4030dc9f8a00823551126c3ad4c315fe
   --- /dev/null
   +++ b/requirements.txt
   @@ -0,0 +1 @@
   +pluggy==1.3.0
   \ No newline at end of file

6. Verify that no bot comment is created
7. Change the target branch to main
8. Verify that bot comment is created
9. Change the target branch again to unprotected
10. Verify that bot comment gets updated to "violations resolved"

assigned to @mcavoj

added backend typebug labels

Reviewer roulette

Category	Reviewer	Maintainer
backend	@dbiryukov (UTC+1, same timezone as author)	@drew (UTC+0, 1 hour behind author)

Please check reviewer's status!

• Reviewer is available!
• Reviewer is unavailable!

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

Sidekiq queue changes

This merge request contains changes to Sidekiq queues. Please follow the documentation on changing a queue's urgency.

These queues were added:

• security_sync_policy_violation_comment

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

@sashi_kumar this MR should address the issue with bot comment for non-applicable branches that I mentioned in !141095 (comment 1734579119). Could you please have an initial look?

requested review from @sashi_kumar

changed milestone to %16.10

added bugfunctional label

added groupsecurity policies label

added Category:Security Policy Management devopsgovern sectionsec labels

E2E Test Result Summary

allure-report-publisher generated test report!

e2e-test-on-gdk: test report for 4b3f6a06

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Govern      | 65     | 0      | 1       | 0     | 66    | ✅     |
| Create      | 8      | 0      | 3       | 0     | 11    | ✅     |
| Data Stores | 2      | 0      | 0       | 0     | 2     | ✅     |
| Monitor     | 4      | 0      | 0       | 0     | 4     | ✅     |
| Plan        | 4      | 0      | 0       | 0     | 4     | ✅     |
| Package     | 0      | 0      | 1       | 0     | 1     | ➖     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 83     | 0      | 5       | 0     | 88    | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

e2e-package-and-test: test report for 4b3f6a06

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Govern      | 268    | 0      | 22      | 0     | 290   | ✅     |
| Create      | 148    | 0      | 24      | 4     | 172   | ✅     |
| Monitor     | 8      | 0      | 0       | 0     | 8     | ✅     |
| Plan        | 8      | 0      | 0       | 0     | 8     | ✅     |
| Data Stores | 4      | 0      | 0       | 0     | 4     | ✅     |
| Package     | 0      | 0      | 2       | 0     | 2     | ➖     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 436    | 0      | 48      | 4     | 484   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

approved this merge request

@sashi_kumar, thanks for approving this merge request.

This is the first time the merge request has been approved. To ensure we don't only run predictive pipelines, and we don't break master, a new pipeline will be started shortly.

Please wait for the pipeline to start before resolving this discussion and set auto-merge for the new pipeline. See merging a merge request for more details.

added pipeline:mr-approved label

requested review from @Andysoiron and removed review request for @sashi_kumar

approved this merge request

resolved all threads

enabled an automatic merge when the pipeline for b2e18cf5 succeeds

merged

mentioned in commit c9b87474

added workflowstaging-canary label

added workflowcanary label and removed workflowstaging-canary label

added workflowstaging label and removed workflowcanary label

added workflowproduction label and removed workflowstaging label

added workflowpost-deploy-db-staging label and removed workflowproduction label

added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label

added releasedcandidate label

mentioned in merge request kubitus-project/kubitus-installer!2869 (merged)

added releasedpublished label and removed releasedcandidate label

added pipelinetier-3 label