Approval jobs in CI pipelines

Description

GitLab CI jobs can currently be set to be blocking manual actions with when: manual and allow_failure: false. Doing so blocks execution of a pipeline at the job until it is manually run, which then allows jobs in subsequent stages to proceed.

Manual jobs can be used as a crude form of approval. For example, let's say there is a production job that deploys an app to production (like in Auto DevOps). An approval stage can be inserted before production containing a number of manual jobs that have to be run (indicating approval), before an app is deployed to production. However, the manual jobs can be run by anyone with permissions to run CI jobs.

I'd like to propose two features to improve on this.

  1. Provide a way to specify users or roles that can run manual jobs.
  2. Add approvals to CI jobs, somewhat similar to merge request approvals

Proposal 1: Specify users or roles that can run manual jobs

A who parameter could be added to CI jobs that indicate the usernames or roles that can run a manual job, like how only/except specify which refs a job applies to.

approval:
  stage: approvals
  who:
    - kinghuang
    - some_group
    - masters
  script:
    - true
  when: manual
  allow_failure: false

Here, the who indicates I can run the manual job, anyone that is a member of some_group, as well as anyone with a master role in the repository. There should be special keywords for all GitLab roles (guests, reporters, developers, masters).

Proposal 2: Add approvals to CI jobs

An approvers parameter could be added indicating that the CI job requires approval from the listed users and/or groups.

production:
  stage: production
  approvers:
    - kinghuang
    - some_group
    - masters
  approvals_required: 2
  script:
    - deploy_app

approvers indicates who are eligible to give approvals. approvals_required sets the number of approvers required before the job can be run. These are based on similar options in merge request approvals.

Note that this example doesn't specify when: manual. Once the number of required approvals is reached, it should auto run.

Links / references

Merge request approvals