Skip to content

Add source and target branches to branch_exceptions

Sashi Kumar Kumaresanrequested to merge
sk/543744-branch-exceptions into master

What does this MR do and why?

MR approval policies ensure that code changes to protected/default branches are properly reviewed, do not contain vulnerabilities, and it's not possible to circumvent the secure/complaint workflow. However there are exception cases that disrupt day-to-day operations, such as GitFlow model where MRs are created from the default branch to a release branch.

If a merge request approval policy is specified in a top level group with prevent_approval_by_commit_author set to true, there is a case when users attempt to merge from certain branches to another, the eligible approvers approaches nil and it's challenging to get the merge completed. An exception for source branches could provide more flexibility for particular workflows. The flow here would involve requiring approvals on changes to main, but when users go to created a tagged release branch, such as release/v2, there are no longer any users (or very few users) available to approve the merge that haven't contributed. To mitigate this, users can determine the source and target branch and set an exception to allow for these scenarios.

This MR updates the branch_exceptions of MR approval policy rules to include source and target branches so that the approval can be ignored for specific cases.

approval_policy:
  - name: Any MR Rules
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        branch_exceptions:
          - source:
              name: test-2
            target:
              name: main
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 58
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed

References

Screenshots or screen recordings

Screenshot_2025-05-23_at_12.54.34_AM

Screenshot_2025-05-23_at_12.54.40_AM

How to set up and validate locally

  • Create a project
  • Create an MR approval policy by editing in the YAML editor:
approval_policy:
  - name: Any MR Rules
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        branch_exceptions:
          - source:
              name: release
            target:
              name: main
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
  • Enable approval_policy_branch_exceptions feature flag for the security policy project
  • Create a branch (release)
  • Create an MR with release as the source branch and main as the target branch and observe that the approval is not required
  • Create an MR with another branch and observe that the approval is required

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Addresses #543744 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports