Approval jobs in CI pipelines
Description
GitLab CI jobs can currently be set to be blocking manual actions with when: manual
and allow_failure: false
. Doing so blocks execution of a pipeline at the job until it is manually run, which then allows jobs in subsequent stages to proceed.
Manual jobs can be used as a crude form of approval. For example, let's say there is a production
job that deploys an app to production (like in Auto DevOps). An approval stage can be inserted before production
containing a number of manual jobs that have to be run (indicating approval), before an app is deployed to production. However, the manual jobs can be run by anyone with permissions to run CI jobs.
I'd like to propose two features to improve on this.
- Provide a way to specify users or roles that can run manual jobs.
- Add approvals to CI jobs, somewhat similar to merge request approvals
Proposal 1: Specify users or roles that can run manual jobs
A who
parameter could be added to CI jobs that indicate the usernames or roles that can run a manual job, like how only
/except
specify which refs a job applies to.
approval:
stage: approvals
who:
- kinghuang
- some_group
- masters
script:
- true
when: manual
allow_failure: false
Here, the who
indicates I can run the manual job, anyone that is a member of some_group, as well as anyone with a master role in the repository. There should be special keywords for all GitLab roles (guests
, reporters
, developers
, masters
).
Proposal 2: Add approvals to CI jobs
An approvers
parameter could be added indicating that the CI job requires approval from the listed users and/or groups.
production:
stage: production
approvers:
- kinghuang
- some_group
- masters
approvals_required: 2
script:
- deploy_app
approvers
indicates who are eligible to give approvals. approvals_required
sets the number of approvers required before the job can be run. These are based on similar options in merge request approvals.
Note that this example doesn't specify when: manual
. Once the number of required approvals is reached, it should auto run.