Update rules for templates
This is a related to !3605 (closed).
This MR adds explicit rules for most of the jobs that get imported from templates. Many do not run in MR pipelines, so the biggest change is to let these run in MR pipelines, but it also ensures they don't run in pipelines that don't need them, like Upstream Review App pipelines, chores pipelines, etc.
Example of template jobs not showing up in MR pipelines:
Examples of template jobs showing up in the wrong pipelines:
- Review app pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799444870
- Chores pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799382545
- Environments cleanup pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799386068
Additional details
I considered updating all the templates to their .latest
versions:
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.latest.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml
But these will all be rolled into the main "stable" templates in 16.0 anyways: https://docs.gitlab.com/ee/update/deprecations.html#secure-analyzers-major-version-update
This MR prepares us for that update. The main change in 16.0, as far as config is concerned, is that the latest versions support:
- MR pipelines by default.
-
1
(as well as the originaltrue
) for all their respective*_DISABLED
variables, used to temporarily disable the scanners without needing to edit the pipeline config.
Making these changes now mean we won't need any tweaks in 16.0, and it should be a seamless update
Related issues
- Related to #1324 (closed)
- Related to gitlab#389812 (closed)