Merge Request Events Webhook: CODEOWNERS approval rules missing from initial MR open event
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
When a merge request is opened, the webhook payload for the "merge_request" event does not include CODEOWNERS approval rules in the approval_rules array. These rules only appear in subsequent webhook events for the same merge request (e.g., when the MR is approved).
This appears to be happening because CODEOWNER approval requirements are applied to the MR during the Merge Checks process, which occurs after the creation of the MR.
ZD Ticket (internal)
Steps to reproduce
- Create a new project:
- Set project's Merge request approval requirements:
- Minimum required approvals
- Any eligible user
- All branches
- Approvals required: 0
- Set project's Merge request approval requirements:
- Configure CODEOWNERS approval policy in the project
- Configure webhooks for merge request events on the Project
- Create a new merge request
- Observe the webhook payload for the "merge_request" open event
- Wait for or trigger a subsequent merge request event (approve the MR)
What is the current bug behavior?
- When an MR is first opened, the webhook payload only includes project-level approval rules
"approval_rules": [
{
"id": 33,
"created_at": "2025-01-29 21:21:53 UTC",
"updated_at": "2025-01-29 21:21:53 UTC",
"merge_request_id": 18,
"approvals_required": 0,
"name": "All Members",
"rule_type": "any_approver",
"report_type": null,
"section": null,
"modified_from_project_rule": false,
"orchestration_policy_idx": null,
"vulnerabilities_allowed": 0,
"scanners": [],
"severity_levels": [],
"vulnerability_states": [
"new_needs_triage",
"new_dismissed"
],
"security_orchestration_policy_configuration_id": null,
"scan_result_policy_id": null,
"applicable_post_merge": null,
"project_id": 8,
"approval_policy_rule_id": null
}
],
"action": "open"- CODEOWNERS approval rules are added to the webhook payload only in subsequent events
"approval_rules": [
{
"id": 33,
"created_at": "2025-01-29 21:21:53 UTC",
"updated_at": "2025-01-29 21:21:53 UTC",
"merge_request_id": 18,
"approvals_required": 0,
"name": "All Members",
"rule_type": "any_approver",
"report_type": null,
"section": null,
"modified_from_project_rule": false,
"orchestration_policy_idx": null,
"vulnerabilities_allowed": 0,
"scanners": [],
"severity_levels": [],
"vulnerability_states": [
"new_needs_triage",
"new_dismissed"
],
"security_orchestration_policy_configuration_id": null,
"scan_result_policy_id": null,
"applicable_post_merge": null,
"project_id": 8,
"approval_policy_rule_id": null
},
{
"id": 34,
"created_at": "2025-01-29 21:21:56 UTC",
"updated_at": "2025-01-29 21:21:56 UTC",
"merge_request_id": 18,
"approvals_required": 1,
"name": "*",
"rule_type": "code_owner",
"report_type": null,
"section": "General",
"modified_from_project_rule": false,
"orchestration_policy_idx": null,
"vulnerabilities_allowed": 0,
"scanners": [],
"severity_levels": [],
"vulnerability_states": [
"new_needs_triage",
"new_dismissed"
],
"security_orchestration_policy_configuration_id": null,
"scan_result_policy_id": null,
"applicable_post_merge": null,
"project_id": 8,
"approval_policy_rule_id": null
}
],
"action": "approved"What is the expected correct behavior?
The initial merge request webhook payload "action": "open" should include all applicable approval rules, including CODEOWNERS rules.
Edited by 🤖 GitLab Bot 🤖