Skip to content

Note warn-mode approval setting overrides in bot comment

Dominic Bauerrequested to merge
563868-update-bot-comment-message-for-warn-mode-mrap-settings into master

What does this MR do and why?

We are working on warn mode for merge request approval policies (&15552).

When a policy sets enforcement_type: warn and sets approval_settings that are more restrictive than a project's approval settings (as inherited by parent groups and itself), the security policy bot comment should contain a section that notes which policies are more restrictive:

  • Also include a note regarding any settings that are non-compliant per the policy.

References

How to set up and validate locally

Enable the feature flag: echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c

  1. Create a new project
  2. Navigate to Settings > Merge requests, and under Approval settings, tick only the following checkboxes:
    • Prevent approvals by users who add commits
    • Require user re-authentication (password or SAML) to approve
  3. Select Keep approvals for When a commit is added
  4. Click Save changes
  5. Navigate to Secure > Policies and create the following Merge request approval policies:
approval_policy:
  - name: Warn Mode Policy A
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: true
approval_policy:
  - name: Warn Mode Policy B
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
  1. Open a new merge request targeting the default branch
  2. Verify that the policy bot comment contains the following segment:

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #563868

Edited by Dominic Bauer

Merge request reports