Instance-wide pre/post pipeline jobs
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
In companies with strict internal policies, changes to all applications are subject to various controls and approvals, like making sure each application has had a security review or been penetration tested every 12 months. These may live in one or more external systems, particularly manual reviews that can't be automated.
In these companies it is important from an internal policy perspective that they can enforce some control structure on merge requests that change applications.
If a job could be added to the start or end of each pipeline in the whole GitLab instance, this would allow a job to be written that checks such external systems, similar to global pre-receive hooks.
Target audience
The target audience is a Risk/Compliance/Legal Officer who needs to see that there are global controls.
Further details
Running a job/pipline before or after the project pipeline is run provides a high degree of flexibility, should allow the job/pipeline definition to be version controlled in a repo, and provide the necessary controls.
Using an include is not sufficient because it is entirely opt-in.
It might be possible to treat the pre/post jobs as an include managed at the instance level, but there could be risks that those includes are overidden by the project pipeline, circumventing the control.
Proposal
An instance administrator will be able to select a .gitlab-ci.yml from an existing project to use for a Pre-prepipeline and/or Post-pipeline
Every CI pipeline will also run the instance wide pre/post pipeline/job.