Setting up approval rules
With Managed Service for GitLab, you can flexibly set up mandatory approval rules before any code can be added to the target branch of the project. For more information on how approval rules work, see Approval rules.
Before getting started, create a service account with administrator privileges and add it to your GitLab project. Assign the Maintainer or Owner role to the account, as other roles do not provide enough permissions to configure approval rules. Next, log in to the GitLab instance and set up the approval rules via the service account.
To use approval rules:
- Create a GitLab token.
- Enable approval rules.
- Set up the approval rules.
- Set up Code Ownership (available in Standard and Advanced configurations).
If required, enable debugging mode and check out the rules for handling exceptions.
Create a GitLab token
You need the GitLab token to enable approval rules and access the repository, because the token is used for GitLab API authentication.
To create a token:
-
Open your GitLab instance.
-
Click the profile icon and select Edit profile.
-
Go to Access Tokens in the left-hand menu.
-
Click Add new token.
-
In the window that opens, in the Token name field, enter a name to easily locate the token in your GitLab project.
-
In the Expiration date field, specify the date when the token will expire.
The default value is one month from the creation date, while the maximum lifetime is one year. The token expires at midnight UTC on the specified day.
-
Under Select scopes, select api.
-
Click Create personal access token.
A new token will be generated.
-
Copy and save it. Later you will not be able to copy it in GitLab.
Enable approval rules
- Activate the GitLab setting that prevents merging changes to the target branch until all threads in a merge request are resolved:
- Open your project in GitLab.
- In the left-hand menu, select Settings → Merge requests.
- Under Merge checks, select All threads must be resolved.
- Click Save changes.
- Add a system hook:
- Open your GitLab instance.
- In the left-hand menu, select Search or go to → Admin Area.
- In the left-hand menu, select System Hooks.
- Click Add new webhook.
- Specify the hook parameters:
- URL:
http://localhost:24080/default. - In the Trigger section, disable all options except Merge request events, Push events, and Repository update events.
- URL:
- Click Add system hook.
- Enable the GitLab setting which allows sending messages to the local network:
- Open your GitLab instance.
- In the left-hand menu, select Search or go to → Admin Area.
- In the left-hand menu, select Settings → Network.
- In the Outbound requests section, enable the Allow requests to the local network from system hooks option.
- In the list of IP addresses and domain names, specify the
http://localhost:24080URL. - Click Save changes.
- Enable approval rules in the Managed Service for GitLab instance:
-
In the Yandex Cloud management console, select the folder where the GitLab instance is located.
-
Select Managed Service for GitLab.
-
Select the instance and click Edit at the top of the page.
-
In the Approval rules field, select the approval rule configuration.
Note
The configuration you select affects the cost of using the instance's computing resources.
-
In the Gitlab token field, specify the token you created earlier.
-
Click Save.
-
Set up the approval rules
The approval rules for the repository are stored in the APPROVALRULES file in the root directory. The configuration is read from the default branch when running the instance and is automatically loaded when you modify the file.
The file consists of two sections:
ApprovalRules: Describes the rules.BranchGroups: Describes which branches the rules apply to.
The structure of the APPROVALRULES file is as follows:
ApprovalRules:
- <rule_name>:
approvers:
- <username>
...
groups:
- <group_name>
...
count: <required_number_of_approvals>
BranchGroups:
- <branch_group_name>:
branches:
- <branch_name>
...
rules:
- <rule_name>
...
Where:
approvers: Name of the GitLab user who can approve the merge request.groups: Name of the GitLab group whose users can approve the merge request.branches: Branch with updates that require approval.rules: Rule applied to the specified branches.
You may use the * wildcard symbol instead of usernames and in branch names.
For example, to apply the four-eyes principle to the repository master branch, add the following to the
APPROVALRULESfile:ApprovalRules: - FourEyesRule: approvers: - "*" count: 1 BranchGroups: - Master: branches: - master rules: - FourEyesRule
Set up Code Ownership
The feature is available in Standard and Advanced configurations.
The code ownership settings for the repository are stored in the CODEOWNERS file in the root directory. The configuration is read from the default branch when running the instance and is automatically loaded when you modify the file.
The file structure supports the GitLab syntax, except for the use of user subgroups and email addresses as user IDs.
Note
If multiple records in the CODEOWNERS file include the same file or directory at once, the rules from the most recent record apply.
To use the code ownership settings when handling merge requests to specific branches, add the following record to the APPROVALRULES file:
BranchGroups:
- <branch_group_name>:
branches:
- <branch_name>
...
rules:
- CODE_OWNERS
Debugging
Add the detailed_AR keyword to a merge request description to have detailed information on each rule output in a thread:
- Names of users who approved the merge request.
- How many approvals are left to be received.
- Names of remaining users who can approve the merge request.
Handling exceptions
Incorrect configuration of approval rules
Issues related to the APPROVALRULES file are handled as follows:
- If the file is missing from the repository, no approval rules apply to the repository's merge requests.
- If the file is available but is configured incorrectly:
- Users with the
Maintainerrole get an email notification about the error. - All merge requests of the repository are blocked.
- Users with the
Overriding the rules
If you need to commit merge request changes, but the responsible team members are not available, a user with the Maintainer role or higher can commit the changes by overriding the existing approval rules:
- Add a comment with the
force_mergekeyword to the merge request. - Update the merge request description so that Managed Service for GitLab gets notified of the changes in the merge request.
This will close the thread and unblock the merge request. During the integration, users with the Maintainer role or higher will receive an email notification about the violated code approval workflow.