We’d like to limit who can edit MR approval rules. In my team’s use case, we don’t contributors to be able to override the rules to skip the mandatory reviews. However, we do have to generate some rules by automation on the fly, so we cannot use the “Prevent editing approval rules in merge requests” setting, as the automation needs to be able to edit the rules.
Limiting the edit permissions to a list of accounts or the Owner+Maintainer roles are both acceptable. I wasn’t able to find any solutions to either; does anyone know if it’s possible to achieve somehow?
AFAIK, this option is not very flexible, at least not by default.
So, it is as you say: Owners + Maintainers can edit rules (generally), but I’m not sure how this behaves if you disable the editing of rules during an open MR (if they are still able to do this or not).
If you have Ultimate license, there are Custom Roles, where you might be able to craft a new role that suits you (e.g. more permissions then Developer, less then Maintainer) - since I see that there are customizable permissions for MRs.
Thank you for looking! However, I don’t think the custom roles would help here - from what I see in the linked docs, manage_merge_request_settings permission only enables one to “manage approval settings”. I.e., I could more flexibly pick people to be able to check/uncheck the “Prevent editing approval rules in merge requests” setting, but it still doesn’t give me the extra option of picking who can actually do the editing on the MRs.
Owners + Maintainers can edit rules (generally)
I wish that was true, then I wouldn’t have this issue. But Developers do have the ability to override the rules for their MRs too, which is the problem: Merge request approval rules | GitLab (actually, it seems like I can do that for other people’s MRs too… haven’t try clicking save for obvious reasons through).