Apply scan result policies to existing open MRs
What does this MR do and why?
Currently, scan approval policies only apply to newly created or updated merge requests.
This MR changes this and applies scan approval policies to all opened merge requests.
This happens:
- Periodically by
CreateOrchestrationPolicyWorker
- Once a merge request is merged by
MergeRequests::PostMergeService
How to set up and validate locally
-
Create a new project
-
Push a new branch and open a merge request.
-
Navigate to
Security & Compliance > Policies
, clickNew Policy
-
Create a new
Scan result policy
-
Merge the resulting
Update scan policies
MR on the security policy project -
Verify the policy was applied to the MR:
project = Project.last(2).first # last one is the security policy project project.merge_requests.first.approval_rules.scan_finding # => [...]
-
Create another policy and verify it was applied:
project.merge_requests.first.approval_rules.scan_finding.count # => 2
-
Edit and delete policies and verify the MR approval rule attributes change accordingly
New queries
-- /ee/app/workers/concerns/update_orchestration_policy_configuration.rb:23
DELETE FROM
"approval_merge_request_rules"
WHERE
"approval_merge_request_rules"."id" IN(
SELECT
"approval_merge_request_rules"."id"
FROM
"approval_merge_request_rules"
INNER JOIN "merge_requests" ON "approval_merge_request_rules"."merge_request_id" = "merge_requests"."id"
WHERE
"merge_requests"."target_project_id" = 35549088
AND "approval_merge_request_rules"."report_type" = 4
)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #364841 (closed)