Setting up approval rules
With Managed Service for GitLab, you can flexibly set up mandatory approval rules before any code can be added to the target branch of the project. For more information on how approval rules work, see Approval rules.
Before getting started, create a service account with administrator privileges and add it to your GitLab project. Assign the Maintainer
or Owner
role
To use approval rules:
- Create a GitLab token.
- Enable approval rules.
- Configure approval rules.
- Set up Code Ownership (available in Standard and Advanced configurations).
If required, enable debugging mode and check out the rules for handling exceptions.
Create a GitLab token
You need the GitLab token to enable approval rules and access the repository, because the token is used for GitLab API authentication.
To create a token:
-
Open your GitLab instance.
-
Click the profile icon and select Edit profile.
-
Go to Access Tokens in the left-hand menu.
-
Click Add new token.
-
In the window that opens, in the Token name field, enter a name to easily locate the token in your GitLab project.
-
In the Expiration date field, specify the token's expiration date.
The default value is one month and the maximum is one year from the token creation date. The token expires at midnight UTC on the specified day.
-
Under Select scopes, select api.
-
Click Create personal access token.
A new token will be generated.
-
Copy and save it. Later you will not be able to copy it in GitLab.
Enable approval rules
- Activate the GitLab setting that prevents merging changes to the target branch until all threads in a merge request are resolved:
- Open your project in GitLab.
- In the left-hand menu, select Settings → Merge requests.
- Under Merge checks, select All threads must be resolved.
- Click Save changes.
- Add a system hook:
- Open your GitLab instance.
- In the left-hand menu, select Search or go to → Admin Area.
- In the left-hand menu, select System Hooks.
- Click Add new webhook.
- Specify the hook parameters:
- URL:
http://localhost:24080/default
. - In the Trigger section, disable all options except Merge request events, Push events, and Repository update events.
- URL:
- Click Add system hook.
- Enable the GitLab setting which allows sending messages to the local network:
- Open your GitLab instance.
- In the left-hand menu, select Search or go to → Admin Area.
- In the left-hand menu, select Settings → Network.
- In the Outbound requests section, enable the Allow requests to the local network from system hooks option.
- In the list of IP addresses and domain names, specify the
http://localhost:24080
URL. - Click Save changes.
- Enable approval rules in the Managed Service for GitLab instance:
-
In the Yandex Cloud management console
, select the folder where the GitLab instance is located. -
Select Managed Service for GitLab.
-
Select the instance and click
Edit at the top of the page. -
In the Approval rules field, select the approval rule configuration.
Note
The configuration you select affects the cost of using the instance's computing resources.
-
In the Gitlab token field, specify the token you created earlier.
-
Click Save.
-
Set up the approval rules
The approval rules for the repository are stored in the APPROVALRULES
file in the root directory. The configuration is read from the default branch
The file consists of two sections:
ApprovalRules
: Describes the rules.BranchGroups
: Describes which branches the rules apply to.
The structure of the APPROVALRULES
file is as follows:
ApprovalRules:
- <rule_name>:
approvers:
- <username>
...
groups:
- <group_name>
...
count: <required_number_of_approvals>
BranchGroups:
- <branch_group_name>:
branches:
- <branch_name>
...
rules:
- <rule_name>
...
Where:
approvers
: Name of the GitLab user who can approve the merge request.groups
: Name of the GitLab group whose users can approve the merge request.branches
: Branch with updates that require approval.rules
: Rule applied to the specified branches.
You may use the *
wildcard symbol instead of usernames and in branch names.
For example, to apply the four-eyes principle to the repository master branch, add the following to the
APPROVALRULES
file:ApprovalRules: - FourEyesRule: approvers: - "*" count: 1 BranchGroups: - Master: branches: - master rules: - FourEyesRule
Set up Code Ownership
The feature is available in Standard and Advanced configurations.
The code ownership settings for the repository are stored in the CODEOWNERS
file in the root directory. The configuration is read from the default branch
The file structure supports the GitLab syntax
Note
If multiple records in the CODEOWNERS
file include the same file or directory at once, the rules from the most recent record apply.
To use the code ownership settings when handling merge requests to specific branches, add the following record to the APPROVALRULES
file:
BranchGroups:
- <branch_group_name>:
branches:
- <branch_name>
...
rules:
- CODE_OWNERS
Debugging
Add the detailed_AR
keyword to a merge request description to have detailed information on each rule output in a thread:
- Names of users who approved the merge request.
- How many approvals are left to be received.
- Names of remaining users who can approve the merge request.
Handling exceptions
Incorrect configuration of approval rules
Issues related to the APPROVALRULES
file are handled as follows:
- If the file is missing from the repository, no approval rules apply to the repository's merge requests.
- If the file is available but is configured incorrectly:
- Users with the
Maintainer
role get an email notification about the error. - All merge requests of the repository are blocked.
- Users with the
Overriding the rules
If you need to commit merge request changes, but the responsible team members are not available, a user with the Maintainer
role or higher can commit the changes by overriding the existing approval rules:
- Add a comment with the
force_merge
keyword to the merge request. - Update the merge request description so that Managed Service for GitLab gets notified of the changes in the merge request.
This will close the thread and unblock the merge request. During the integration, users with the Maintainer
role or higher will receive an email notification about the violated code approval workflow.