Commit 11f028b6 authored by Craig Norris's avatar Craig Norris

Merge branch '324948-aqualls-approval-rules-rewrite' into 'master'

Revise merge request approvals rule page, CTRT

See merge request gitlab-org/gitlab!60759
parents 51c585e9 72f7f959
...@@ -87,7 +87,7 @@ The `ApprovalState` model get these records when approval rules are not ...@@ -87,7 +87,7 @@ The `ApprovalState` model get these records when approval rules are not
overwritten. overwritten.
The `protected_branches` attribute is set and used when a rule is scoped to The `protected_branches` attribute is set and used when a rule is scoped to
protected branches. See [Scoped to Protected Branch doc](../user/project/merge_requests/approvals/rules.md#scoped-to-protected-branch) protected branches. See [Approvals for protected branches](../user/project/merge_requests/approvals/rules.md#approvals-for-protected-branches)
for more information about the feature. for more information about the feature.
### `ApprovalMergeRequestRule` ### `ApprovalMergeRequestRule`
......
...@@ -156,7 +156,7 @@ rating. ...@@ -156,7 +156,7 @@ rating.
### Enabling Security Approvals within a project ### Enabling Security Approvals within a project
To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#adding--editing-a-default-approval-rule) To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#add-an-approval-rule)
must be created. A [security scanner job](#security-scanning-tools) must be enabled for must be created. A [security scanner job](#security-scanning-tools) must be enabled for
`Vulnerability-Check`, and a [license scanning](../compliance/license_compliance/index.md#configuration) `Vulnerability-Check`, and a [license scanning](../compliance/license_compliance/index.md#configuration)
job must be enabled for `License-Check`. When the proper jobs aren't configured, the following job must be enabled for `License-Check`. When the proper jobs aren't configured, the following
......
...@@ -67,7 +67,7 @@ in your project's settings. ...@@ -67,7 +67,7 @@ in your project's settings.
If you enable [approval rule overrides](settings.md#prevent-overriding-default-approvals), If you enable [approval rule overrides](settings.md#prevent-overriding-default-approvals),
merge requests created before a change to default approval rules are not affected. merge requests created before a change to default approval rules are not affected.
The only exceptions are changes to the [target branch](rules.md#scoped-to-protected-branch) The only exceptions are changes to the [target branch](rules.md#approvals-for-protected-branches)
of the rule. of the rule.
## Optional approvals ## Optional approvals
...@@ -117,6 +117,11 @@ You can modify your external approval rules ...@@ -117,6 +117,11 @@ You can modify your external approval rules
The lack of an external approval doesn't block the merging of a merge request. The lack of an external approval doesn't block the merging of a merge request.
When [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
changes to default approval rules will **not** be applied to existing
merge requests, except for changes to the [target branch](rules.md#approvals-for-protected-branches)
of the rule.
To learn more about use cases, feature discovery, and development timelines, To learn more about use cases, feature discovery, and development timelines,
see the [External API approval rules epic](https://gitlab.com/groups/gitlab-org/-/epics/3869). see the [External API approval rules epic](https://gitlab.com/groups/gitlab-org/-/epics/3869).
......
...@@ -7,201 +7,226 @@ type: reference, concepts ...@@ -7,201 +7,226 @@ type: reference, concepts
# Merge request approval rules # Merge request approval rules
Approval rules define how many approvals a merge request must receive before it can Approval rules define how many [approvals](index.md) a merge request must receive before it can
be merged, and optionally which users should do the approving. Approvals can be defined: be merged, and which users should do the approving. You can define approval rules:
- [As project defaults](#adding--editing-a-default-approval-rule). - [As project defaults](#add-an-approval-rule).
- [Per merge request](#editing--overriding-approval-rules-per-merge-request). - [Per merge request](#edit-or-override-merge-request-approval-rules).
- [At the instance level](../../../admin_area/merge_requests_approvals.md)
If no approval rules are defined, any user can approve a merge request. However, the default If you don't define a [default approval rule](#add-an-approval-rule),
minimum number of required approvers can still be set in the any user can approve a merge request. Even if you don't define a rule, you can still
[settings for merge request approvals](settings.md). enforce a [minimum number of required approvers](settings.md) in the project's settings.
You can opt to define one single rule to approve a merge request among the available rules You can define a single rule to approve merge requests from among the available
or choose more than one with [multiple approval rules](#multiple-approval-rules). rules, or you can select [multiple approval rules](#add-multiple-approval-rules).
NOTE: Merge requests that target a different project, such as from a fork to the upstream project,
On GitLab.com, you can add a group as an approver if you're a member of that group or the use the default approval rules from the target (upstream) project, not the source (fork).
group is public.
## Eligible Approvers ## Add an approval rule
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget. To add a merge request approval rule:
The following users can approve merge requests: 1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**, and then select **Add approval rule**.
1. Add a human-readable **Rule name**.
1. Set the number of required approvals in **Approvals required**. A value of `0` makes
[the rule optional](#configure-optional-approval-rules), and any number greater than `0`
creates a required rule.
1. To add users or groups as approvers, search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**. GitLab suggests approvers based on
previous authors of the files changed by the merge request.
- Users who have been added as approvers at the project or merge request levels with NOTE:
developer or higher [permissions](../../../permissions.md). On GitLab.com, you can add a group as an approver if you're a member of that group or the
- [Code owners](#code-owners-as-eligible-approvers) of the files changed by the merge request group is public.
that have developer or higher [permissions](../../../permissions.md).
An individual user can be added as an approver for a project if they are a member of: 1. Select **Add approval rule**.
- The project. Users of GitLab Premium and higher tiers can create [additional approval rules](#add-multiple-approval-rules).
- The project's immediate parent group.
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
A group of users can also be added as approvers, though they only count as approvers if Your configuration for approval rule overrides determines if the new rule is applied
they have direct membership to the group. In the future, group approvers may be to existing merge requests:
[restricted to only groups with share access to the project](https://gitlab.com/gitlab-org/gitlab/-/issues/2048).
If a user is added as an individual approver and is also part of a group approver, - If [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
then that user is just counted once. The merge request author, and users who have committed changes to these default rules are not applied to existing merge requests, except for
to the merge request, do not count as eligible approvers, changes to the [target branch](#approvals-for-protected-branches) of the rule.
if [**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests) (enabled by default) - If approval rule overrides are not allowed, all changes to default rules
and [**Prevent committers approval**](settings.md#prevent-approval-of-merge-requests-by-their-committers) (disabled by default) are applied to existing merge requests. Any approval rules that were previously
are enabled on the project settings. manually [overridden](#edit-or-override-merge-request-approval-rules) during the
period when approval rule overrides where allowed, are not modified.
When an eligible approver comments on a merge request, it displays in the ## Edit an approval rule
**Commented by** column of the Approvals widget. It indicates who participated in
the merge request review. Authors and reviewers can also identify who they should reach out
to if they have any questions about the content of the merge request.
### Implicit Approvers To edit a merge request approval rule:
If the number of required approvals is greater than the number of assigned approvers, 1. Go to your project and select **Settings > General**.
approvals from other users counts towards meeting the requirement. These would be 1. Expand **Merge request (MR) approvals**, and then select **Edit**.
users with developer [permissions](../../../permissions.md) or higher in the project who 1. (Optional) Change the **Rule name**.
were not explicitly listed in the approval rules. 1. Set the number of required approvals in **Approvals required**. The minimum value is `0`.
1. Add or remove eligible approvers, as needed:
- *To add users or groups as approvers,* search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**.
### Code Owners as eligible approvers NOTE:
On GitLab.com, you can add a group as an approver if you're a member of that group or the
group is public.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7933) in GitLab 11.5. - *To remove users or groups,* identify the group or user to remove, and
> - Moved to GitLab Premium in 13.9. select **{remove}** **Remove**.
1. Select **Update approval rule**.
If you add [Code Owners](../../code_owners.md) to your repository, the owners to the ## Add multiple approval rules **(PREMIUM)**
corresponding files become eligible approvers, together with members with Developer
or higher [permissions](../../../permissions.md).
To enable this merge request approval rule: > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1979) in GitLab Premium 11.10.
1. Navigate to your project's **Settings > General** and expand In GitLab Premium and higher tiers, you can enforce multiple approval rules on a
**Merge request (MR) approvals**. merge request, and multiple default approval rules for a project. If your tier
1. Locate **Any eligible user** and choose the number of approvals required. supports multiple default rules:
![MR approvals by Code Owners](img/mr_approvals_by_code_owners_v12_7.png) - When [adding](#add-an-approval-rule) or [editing](#edit-an-approval-rule) an approval rule
for a project, GitLab displays the **Add approval rule** button even after a rule is defined.
- When editing or overriding multiple approval rules
[on a merge request](#edit-or-override-merge-request-approval-rules), GitLab
displays the **Add approval rule** button even after a rule is defined.
Once set, merge requests can only be merged once approved by the When an [eligible approver](#eligible-approvers) approves a merge request, it
number of approvals you've set. GitLab accepts approvals from reduces the number of approvals left (the **Approvals** column) for all rules that the approver belongs to:
users with Developer or higher permissions, as well as by Code Owners,
indistinguishably.
Alternatively, you can **require** ![Approvals premium merge request widget](img/approvals_premium_mr_widget_v13_3.png)
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners). **(PREMIUM)**
## Merge Request approval segregation of duties ## Eligible approvers
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget.
> - Moved to Premium in 13.9.
Managers or operators with [Reporter permissions](../../../permissions.md#project-members-permissions) To be eligible as an approver for a project, a user must be a member of one or
to a project sometimes need to be required approvers of a merge request, more of these:
before a merge to a protected branch begins. These approvers aren't allowed
to push or merge code to any branches.
To enable this access: - The project.
- The project's immediate parent [group](#group-approvers).
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
- A [group added as approvers](#group-approvers).
1. [Create a new group](../../../group/index.md#create-a-group), and then The following users can approve merge requests if they have Developer or
[add the user to the group](../../../group/index.md#add-users-to-a-group), higher [permissions](../../../permissions.md):
ensuring you select the Reporter role for the user.
1. [Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Navigate to your project's **Settings > General**, and in the
**Merge request (MR) approvals** section, click **Expand**.
1. Select **Add approval rule** or **Update approval rule**.
1. [Add the group](../../../group/index.md#create-a-group) to the permission list.
![Update approval rule](img/update_approval_rule_v13_10.png) - Users added as approvers at the project or merge request level.
- Users who are [Code owners](#code-owners-as-eligible-approvers) of the files
changed in the merge request.
## Adding / editing a default approval rule To show who has participated in the merge request review, the Approvals widget in
a merge request displays a **Commented by** column. This column lists eligible approvers
who commented on the merge request. It helps authors and reviewers identify who to
contact with questions about the merge request's content.
To add or edit the default merge request approval rule: If the number of required approvals is greater than the number of assigned approvers,
approvals from other users with Developer [permissions](../../../permissions.md) or higher
in the project counts toward meeting the required number of approvals, even if the
users were not explicitly listed in the approval rules.
1. Navigate to your project's **Settings > General** and expand **Merge request (MR) approvals**. ### Group approvers
1. Click **Add approval rule**, or **Edit**. You can add a group of users as approvers, but those users count as approvers only if
- Add or change the **Rule name**. they have direct membership to the group. In the future, group approvers may be
- Set the number of required approvals in **Approvals required**. The minimum value is `0`. restricted to only groups [with share access to the project](https://gitlab.com/gitlab-org/gitlab/-/issues/2048).
- (Optional) Search for users or groups that are [eligible to approve](#eligible-approvers)
merge requests and click the **Add** button to add them as approvers. Before typing
in the search field, approvers are suggested based on the previous authors of
the files being changed by the merge request.
- (Optional) Click the **{remove}** **Remove** button next to a group or user to delete it from
the rule.
1. Click **Add approval rule** or **Update approval rule**.
When [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed, A user's membership in an approvers group affects their individual ability to
changes to these default rules are not applied to existing merge approve in these ways:
requests, except for changes to the [target branch](#scoped-to-protected-branch) of
the rule.
When approval rule overrides are not allowed, all changes to these default rules - A user already part of a group approver who is later added as an individual approver
are applied to existing merge requests. Any approval rules that had previously been counts as one approver, and not two.
manually [overridden](#editing--overriding-approval-rules-per-merge-request) during a - Merge request authors do not count as eligible approvers on their own merge requests by default.
period when approval rule overrides where allowed, are not modified. To change this behavior, disable the
[**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)
project setting.
- Committers to merge requests can approve a merge request. To change this behavior, enable the
[**Prevent committers approval**](settings.md#prevent-approval-of-merge-requests-by-their-committers)
project setting.
NOTE: ### Code owners as eligible approvers
If a merge request targets a different project, such as from a fork to the upstream project,
the default approval rules are taken from the target (upstream) project, not the
source (fork).
### Editing / overriding approval rules per merge request > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7933) in GitLab 11.5.
> - Moved to GitLab Premium in 13.9.
> Introduced in GitLab Enterprise Edition 9.4. If you add [code owners](../../code_owners.md) to your repository, the owners of files
become eligible approvers in the project. To enable this merge request approval rule:
By default, the merge request approval rule listed in each merge request (MR) can be 1. Go to your project and select **Settings > General**.
edited by the MR author or a user with sufficient [permissions](../../../permissions.md). 1. Expand **Merge request (MR) approvals**.
This ability can be disabled in the [merge request approvals settings](settings.md#prevent-overriding-default-approvals). 1. Locate **Any eligible user** and select the number of approvals required:
One possible scenario would be to add more approvers than were defined in the default ![MR approvals by Code Owners](img/mr_approvals_by_code_owners_v12_7.png)
settings.
When creating or editing a merge request, find the **Approval rules** section, then follow You can also
the same steps as [Adding / editing a default approval rule](#adding--editing-a-default-approval-rule). [require code owner approval](../../protected_branches.md#protected-branches-approval-by-code-owners)
for protected branches. **(PREMIUM)**
## Set up an optional approval rule ## Merge request approval segregation of duties
MR approvals can be configured to be optional, which can help if you're working > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4.
on a team where approvals are appreciated, but not required. > - Moved to GitLab Premium in 13.9.
To configure an approval to be optional, set the number of required approvals in **Approvals required** to `0`. You may need to grant users with [Reporter permissions](../../../permissions.md#project-members-permissions),
permission to approve merge requests before they can merge to a protected branch.
Some users (like managers) may not need permission to push or merge code, but still need
oversight on proposed work. To enable approval permissions for these users without
granting them push access:
You can also set an optional approval rule through the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule), by setting the `approvals_required` attribute to `0`. 1. [Create a new group](../../../group/index.md#create-a-group).
1. [Add the user to the group](../../../group/index.md#add-users-to-a-group),
and select the Reporter role for the user.
1. [Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**.
1. Select **Add approval rule** or **Update approval rule**.
1. [Add the group](../../../group/index.md#create-a-group) to the permission list.
## Multiple approval rules **(PREMIUM)** ![Update approval rule](img/update_approval_rule_v13_10.png)
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1979) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.10. ### Edit or override merge request approval rules
In GitLab Premium, it is possible to have multiple approval rules per merge request, By default, the merge request author (or a user with sufficient [permissions](../../../permissions.md))
as well as multiple default approval rules per project. can edit the approval rule listed in a merge request. When editing an approval rule
on a merge request, you can either add or remove approvers:
Adding or editing multiple default rules is identical to 1. In the merge request, find the **Approval rules section**.
[adding or editing a single default approval rule](#adding--editing-a-default-approval-rule), 1. When creating a new merge request, scroll to the **Approval Rules** section,
except the **Add approval rule** button is available to add more rules, even after and add or remove your desired approval rules before selecting **Create merge request**.
a rule is already defined. 1. When viewing an existing merge request:
1. Select **Edit**.
1. Scroll to the **Approval Rules** section.
1. Add or remove your desired approval rules.
1. Select **Save changes**.
Similarly, editing or overriding multiple approval rules per merge request is identical Administrators can change the [merge request approvals settings](settings.md#prevent-overriding-default-approvals)
to [editing or overriding approval rules per merge request](#editing--overriding-approval-rules-per-merge-request), to prevent users from overriding approval rules for merge requests.
except the **Add approval rule** button is available to add more rules, even after
a rule is already defined.
When an [eligible approver](#eligible-approvers) approves a merge request, it ## Configure optional approval rules
reduces the number of approvals left for all rules that the approver belongs to.
![Approvals premium merge request widget](img/approvals_premium_mr_widget_v13_3.png) Merge request approvals can be optional for projects where approvals are
appreciated, but not required. To make an approval rule optional:
## Scoped to protected branch **(PREMIUM)** - When you [create or edit a rule](#edit-an-approval-rule), set **Approvals required** to `0`.
- Use the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule)
to set the `approvals_required` attribute to `0`.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.8. ## Approvals for protected branches **(PREMIUM)**
Approval rules are often only relevant to specific branches, like `master`. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in GitLab Premium 12.8.
When configuring [**Default Approval Rules**](#adding--editing-a-default-approval-rule)
these can be scoped to all the protected branches at once by navigating to your project's
**Settings**, expanding **Merge request (MR) approvals**, and selecting **Any branch** from
the **Target branch** dropdown.
Alternatively, you can select a very specific protected branch from the **Target branch** dropdown: Approval rules are often relevant only to specific branches, like your
[default branch](../../repository/branches/default.md). To configure an
approval rule for certain branches:
![Scoped to protected branch](img/scoped_to_protected_branch_v13_10.png) 1. [Create an approval rule](#add-an-approval-rule).
1. Go to your project and select **Settings**.
1. Expand **Merge request (MR) approvals**.
1. Select a **Target branch**:
- To protect all branches, select **Any branch**.
- To select a specific branch, select it from the list:
To enable this configuration, see [Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners). ![Scoped to protected branch](img/scoped_to_protected_branch_v13_10.png)
1. To enable this configuration, read
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners).
...@@ -13,7 +13,7 @@ The settings for Merge Request Approvals are found by going to ...@@ -13,7 +13,7 @@ The settings for Merge Request Approvals are found by going to
## Prevent overriding default approvals ## Prevent overriding default approvals
Regardless of the approval rules you choose for your project, users can edit them in every merge Regardless of the approval rules you choose for your project, users can edit them in every merge
request, overriding the [rules you set as default](rules.md#adding--editing-a-default-approval-rule). request, overriding the [rules you set as default](rules.md#add-an-approval-rule).
To prevent that from happening: To prevent that from happening:
1. Select the **Prevent users from modifying MR approval rules in merge requests.** checkbox. 1. Select the **Prevent users from modifying MR approval rules in merge requests.** checkbox.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment