Approval jobs in CI pipelines
GitLab CI jobs can currently be set to be blocking manual actions with
when: manual and
allow_failure: false. Doing so blocks execution of a pipeline at the job until it is manually run, which then allows jobs in subsequent stages to proceed.
Manual jobs can be used as a crude form of approval. For example, let's say there is a
production job that deploys an app to production (like in Auto DevOps). An approval stage can be inserted before
production containing a number of manual jobs that have to be run (indicating approval), before an app is deployed to production. However, the manual jobs can be run by anyone with permissions to run CI jobs.
I'd like to propose two features to improve on this.
- Provide a way to specify users or roles that can run manual jobs.
- Add approvals to CI jobs, somewhat similar to merge request approvals
Proposal 1: Specify users or roles that can run manual jobs
who parameter could be added to CI jobs that indicate the usernames or roles that can run a manual job, like how
except specify which refs a job applies to.
approval: stage: approvals who: - kinghuang - some_group - masters script: - true when: manual allow_failure: false
who indicates I can run the manual job, anyone that is a member of some_group, as well as anyone with a master role in the repository. There should be special keywords for all GitLab roles (
Proposal 2: Add approvals to CI jobs
approvers parameter could be added indicating that the CI job requires approval from the listed users and/or groups.
production: stage: production approvers: - kinghuang - some_group - masters approvals_required: 2 script: - deploy_app
approvers indicates who are eligible to give approvals.
approvals_required sets the number of approvers required before the job can be run. These are based on similar options in merge request approvals.
Note that this example doesn't specify
when: manual. Once the number of required approvals is reached, it should auto run.