Skip to content

Add HMAC header to dispatch service

What does this MR do and why?

  • In a merge request who's project contains external approval rules, sends a standard webhook payload to the endpoints on every change of the MR.
  • If shared_secret is provided HMAC has to be sent with X-GitLab-Signature header

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new external approval rule on that project using the REST API. You should set the external_url field to a service that you can see. You might want to use RequestBin to do this. Configure one external status check with shared_secret.
  2. Open a merge request on the project. Check that the payload has been sent to RequestBin.
  3. Edit a merge request. Check again for another payload
  4. Push new code to HEAD of the source branch of the merge request. Check again.

The payload should include the same data as a merge request webhook, with the addition of a external_approval_rule key.

Related to #433035 (closed)

Edited by Artur Fedorov

Merge request reports