Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Compliance Group - Meetings / 2 Dec 2020
GitLab / Compliance Group - Meetings / 2 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Compliance and approvals in Merge Requests

Description

Sharing where the compliance group is impacting the merge request experience

A

And slack pedro messaged me asking me to just share a little bit about where the compliance group has been working along source code and code reviews to make some additions or enhancements to merge requests specifically around the approvals features and so for mike the other part designer. This is a bit of a informational update. I thought it would be easier just to do a couple walk-throughs through a few issues, or rather epics, that we have outstanding that we're currently working on as a way to help disseminate that knowledge.

A

So I'll start from what are we kind of working on and work towards like? What's coming more down the road? Now there are three ones that stuck out immediately in my mind, and there might be some more out there, but we'll kind of come across as over time. The first one is this notion of being able to link, merge requests to jira and the intent here is. There are instances where organizations are using jira for their project management and git lab for their source code and when they're creating merge requests.

A

It is sometimes a requirement of the organization that that merge requests be originated from some issue. Currently that relationship isn't enforceable.

A

We currently have the ability to mention an issue from jira within a merge request, which is great, but it's not a requirement to merge, and so the intent of this work is going to be introducing as a requirement an ability to check and make sure that your issue has either been mentioned within the merge request, either in the description or the title or the comments or something the same way that we check to see if it's there now and if it is great, you know then they've met that requirement.

A

If not, then that's going to be one thing they have to do, and this will be selected through a merge check requirement.

A

So I believe that work has kind of started. I think we have some of the discovery work being done in 13-8, um so I think they're starting to build the framework to make this happen and we'll see how far we get with that.

A

The next one, this one does deal a lot more with the approval section. So currently you can map physical people as approvers to a merge request, so you can request that specific users or group of users be the approvers for the merge, request and they're instances where organizations want to also use a payload check against an api to ensure that that thing is up and good and there to establish a good connection. I guess for their builds and so they've wanted to be able to add, essentially an api as a third-party approver.

A

So for this, um we've at we've suggested to add uh a different dynamic to the merge request, approvals and it'll show up um and there. So currently you do users or groups, and you pick your your approvers and so the way you could then flip. This would be picking that same drop down and choosing to do an approval gate instead and then you'd be putting in an api to reference.

A

The way that manifests itself with any actual merge request and be right alongside the approvers there'd, be a little drop down or really a collapsible section. That says here are the approval gates that are being checked alongside the eligible approvers, and this would tell you whether or not they've passed or failed a quick check.

A

Currently, you can't you normally can't merge a request if you don't have all the approvals, but for this mvc we're not going to withhold the ability to merge, it's just simply a visual indicator of like did these things, get checked yes or no, or did they pass or fail as more of an informational thing, as opposed to the users, have to go out and check these things manually themselves before they approve or merge a request in.

A

And so the last one here uh is in workflows, mission validation. So we have some research, that's ongoing to essentially create a way to bypass the protections that would normally prevent a merge request from going into master or the default branch whatever that may be as a way to help gatekeep from problems getting in we've definitely heard.

A

There are instances where perhaps a team doesn't want to wait to be able to do all the necessary checks, like let's say the approvers aren't available at the end of the day on a friday, and they just really have to get this change in and they feel very confident that it'll be totally fine, but because no one's there they don't really have an option so to help provide more flexibility into this. We're trying to give the ability to force merge. So this would be able to say yeah. We can ignore your pipelines.

A

We can ignore your uh approval status. What have you that would normally prevent you from pushing this change and allow you to do it? We're trying to do this? Only with group owners um as the specified, pers or group of functionality that we want to share with, we think that might be the smallest blast radius, because we understand that this is a rather impactful thing.

A

So, if you're sasha the software developer, what we're thinking is you don't have this ability, but you at least get the awareness of. If you have a problem, you can go to your group owners and get their assistance emerging into your default branch if necessary.

A

Alternatively, if you are a group owner and your developer pings you, you can come in and hit the force merge button get a little bit of awareness of what this would do um and there's one more step that prevents you from doing that. Just in case you know what this thing does we're trying to just let you know like hey: this could break your builds. You know it's more of an administrative task. It would definitely take some special knowledge of knowing that this would be okay.

A

I've definitely heard this from friends like there are times where they can't merge something because the pipeline's failing, but the change they're trying to put in is to fix the pipeline so now they're kind of just stuck in this like really weird things and they have to like turn off their pipelines in order to get the merging and it's kind of a mess.

A

So this is definitely more of like an edge case thing, but it should be able to provide much more flexibility in those instances where it makes sense to use it, and so this provides additional checks into getting people to get that thing. In but without having to use the traditional means of doing so, so those were the three issues that were outstanding or epics that were outstanding. In my mind, that related to merge, requests and approvals.

A

uh And so, if you have any questions you know, certainly let me know I'll be out on pto for a couple days, but a big deal I'll be back and we can talk about some more.