Check merge request's head_sha pipeline instead of latest
What does this MR do and why?
This change fixes the MR approval policy logic that checks latest?
on a merge request' pipeline. Calling latest?
can be misleading as it will return false for merged_results_pipeline
that ran on the recent commit of the MR.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
- Create a project with a security job that runs in merge request pipeline and a job with delay (to simulate the race condition) or Clone https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-439061
- Enable Merged Results Pipeline from Settings -> Merge Requests -> Enable Merged Results Pipeline
- Create a scan result policy to require approval on newly detected vulnerabilities
- Create an MR and verify if the delay job is in the merged results pipeline. Also, verify if the pipeline has
latest
tag - Before the MR pipeline completes, create a new commit in the default branch.
- Check the MR pipeline that the
latest
tag is no longer visible. - After the MR pipeline completes, the approval is still enforced despite no new vulnerabilities introduced in the MR
Example Project https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-439061
Addresses #439061 (closed)
Edited by Sashi Kumar Kumaresan