High Issue Summary
An approval for a PR will show as being related to an unseen commit if that commit is pushed while the PR review is in progress and the PR is not reloaded by the reviewer when the notification is shown that the PR has been updated.
If automatic merging is enabled this can lead to unreviewed commits being merged to other branches and via CI/CD possibly being deployed to production, causing security concerns.
This is reproducible on Data Center: yes
Steps to Reproduce
- Have an open PR
- Start reviewing the PR
- Push another commit to the source branch of the PR
- Wait until a notification appears on screen that the PR has been updated, but don't refresh or reload the PR
- Finish the review and approve it
Expected Results
The approval shows it is for the commit that was current when the review was started
Actual Results
The approval shows it is for the commit that was pushed while the review was in progress, and which was never actually reviewed
Workaround
Tell PR reviewers to reload the PR if a notification is displayed saying the PR was updated while the review is in progress
- supersedes
-
BSERV-14154 Pull Request overview page does not get updated automatically when PR is changed while it is being reviewed
-
- Closed
-
- causes
-
PS-133421 Loading...