Handle RecordInvalid in SyncProjectPolicyWorker
What does this MR do and why?
This MR adds error handling for ActiveRecord::RecordInvalid exceptions in Security::SyncProjectPolicyWorker by leveraging Sidekiq's sidekiq_retry_in callback. When a RecordInvalid error occurs (e.g., Validation failed: Rule idx has already been taken), it indicates that the policy index stored in the database (security_policies and scan_result_policy_reads tables) has drifted out of sync with the YAML definition. Instead of retrying the same failing job, the worker now triggers a force resync by enqueuing a new job with a Security::PolicyResyncEvent, which performs a full re-synchronization of the policy to resolve the inconsistency.
To prevent an infinite re-enqueue loop, the handler checks whether the current job is already a PolicyResyncEvent. If so, it discards the job immediately rather than enqueuing yet another resync.
Problem
This issue is very rare and stems from an older problem with a background migration that backfills the policy index. In certain edge cases, the backfill left inconsistent rule_idx values in the database, causing subsequent policy sync operations to fail with ActiveRecord::RecordInvalid (Validation failed: Rule idx has already been taken) when attempting to create rules that conflict with the stale backfilled data.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #580166 (closed)