Improve the bot message disabling with multiple policies

Martin Cavojrequested to merge
549026-improve-send_bot_message-false-handling-with-multiple-policies into master

What does this MR do and why?

Improve the bot message disabling with multiple policies

Check if the bot message can be disabled by cross-referencing the violated policies. Non-violated policies shouldn't contribute to the decision whether the bot comment can be skipped.

This allows to reduce noise from the bot comment for any_merge_request policies with send_bot_message: false but keep the bot message active for other policies, such as for critical vulnerabilities.

References

Screenshots or screen recordings

Before After
CleanShot_2025-06-12_at_07.29.50 CleanShot_2025-06-12_at_07.27.42

How to set up and validate locally

  1. Create a project
  2. Create two policies: 
    approval_policy:
- name: Critical
  description: ''
  enabled: true
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels:
    - critical
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - maintainer
    - owner
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: false
    prevent_pushing_and_force_pushing: false
    prevent_approval_by_author: false
    prevent_approval_by_commit_author: false
    remove_approvals_with_new_commit: false
    require_password_to_approve: false
  fallback_behavior:
    fail: closed
- name: Protected branch approval
  description: ''
  enabled: true
  rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - owner
    - maintainer
  - type: send_bot_message
    enabled: false
  approval_settings:
    block_branch_modification: false
    prevent_pushing_and_force_pushing: false
    prevent_approval_by_author: false
    prevent_approval_by_commit_author: false
    remove_approvals_with_new_commit: false
    require_password_to_approve: false
  fallback_behavior:
    fail: closed
  3. Create a MR
  4. Verify that bot message is not posted for the any_merge_request policy
  5. Update the MR by adding a new critical finding violation
  6. Verify that bot message is posted for the critical finding violation

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549026 (closed)

Merge request reports