When a security MR is rejected, cancel MWPS
What does this MR do and why?
When the MergeRequestsValidator evaluates a security MR and finds it is invalid. It unassigns the MR. One reason it may be invalid is a failing pipeline. The problem is, this could be a MWPS pipeline. If the pipeline is fixed without the MWPS being canceled, the MR could then be merged at a totally different time. In the context of a security release, this means we could have an MR merged after the release is complete. See gitlab-com/gl-infra/delivery#19801 (closed) for an example of what actually happened in a recent release.
To fix this problem, whenever an MR is evaluated as invalid, we should also cancel MWPS if it is set.
Related to gitlab-com/gl-infra/delivery#19801 (closed)
Testing
There is no easy way to test this against security issues because we don't want to cancel a MWPS. I did however test that the expected MR format will include the necessary attributes and also be accepted by the new cancel_merge_when_pipeline_succeeds method:
[12] pry(main)> client = ReleaseTools::Security::Client.new
=> #<ReleaseTools::Security::Client:0x0000000107d68550 @gitlab_client=#<Gitlab::Client:0x0000000107cc00a8 ...>>
[13] pry(main)> mr = client.merge_request(15642544, 3670)
=> #<Gitlab::ObjectifiedHash:217300...
[14] pry(main)> mr.merge_when_pipeline_succeeds
=> false
[15] pry(main)> ReleaseTools::GitlabClient.cancel_merge_when_pipeline_succeeds(mr)
=> #<Gitlab::ObjectifiedHash:217320 {hash: {"message"=>"Can't cancel the automatic merge", "status"=>"error", "http_status"=>406}}
[18] pry(main)> 2023-11-02 16:04:03.573732 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2023-11-02 16:04:03 -0600] 201 "POST https://gitlab.com/api/v4/projects/15642544/merge_requests/3670/cancel_merge_when_pipeline_succeeds" 81Author Check-list
- [-] Has documentation been updated?