Skip to content
GitLab
Next
Menu
Why GitLab
Pricing
Contact Sales
Explore
Why GitLab
Pricing
Contact Sales
Explore
Sign in
Get free trial
Primary navigation
Search or go to…
Project
GitLab
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Privacy statement
Keyboard shortcuts
?
What's new
4
Snippets
Groups
Projects
Show more breadcrumbs
GitLab.org
GitLab
Commits
75860c87
Commit
75860c87
authored
5 years ago
by
Marcel Amirault
Committed by
Evan Read
5 years ago
Browse files
Options
Downloads
Patches
Plain Diff
Explain how to protect manual jobs
parent
2390284a
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/ci/yaml/README.md
+39
-1
39 additions, 1 deletion
doc/ci/yaml/README.md
with
39 additions
and
1 deletion
doc/ci/yaml/README.md
+
39
−
1
View file @
75860c87
...
...
@@ -1086,13 +1086,51 @@ Manual actions are considered to be write actions, so permissions for
[
protected branches
](
../../user/project/protected_branches.md
)
are used when
a user wants to trigger an action. In other words, in order to trigger a manual
action assigned to a branch that the pipeline is running for, the user needs to
have the ability to merge to this branch.
have the ability to merge to this branch. It is possible to use protected environments
to more strictly
[
protect manual deployments
](
#protecting-manual-jobs
)
from being
run by unauthorized users.
NOTE:
**Note:**
Using
`when:manual`
and
`trigger`
together results in the error
`jobs:#{job-name} when
should be on_success, on_failure or always`
, because
`when:manual`
prevents triggers
being used.
##### Protecting manual jobs
It's possible to use
[
protected environments
](
../environments/protected_environments.md
)
to define a precise list of users authorized to run a manual job. By allowing only
users associated with a protected environment to trigger manual jobs, it is possible
to implement some special use cases, such as:
-
more precisely limiting who can deploy to an environment.
-
enabling a pipeline to be blocked until an approved user "approves" it.
To do this, you must add an environment to the job. For example:
```
yaml
deploy_prod
:
stage
:
deploy
script
:
-
echo "Deploy to production server"
environment
:
name
:
production
url
:
https://example.com
when
:
manual
only
:
-
master
```
Then, in the
[
protected environments settings
](
../environments/protected_environments.md#protecting-environments
)
,
select the environment (
`production`
in the example above) and add the users, roles or groups
that are authorized to trigger the manual job to the
**Allowed to Deploy**
list. Only those in
this list will be able to trigger this manual job, as well as GitLab admins who are always able
to use protected environments.
Additionally, if a manual job is defined as blocking by adding
`allow_failure: false`
,
the next stages of the pipeline will not run until the manual job is triggered. This
can be used as a way to have a defined list of users allowed to "approve" later pipeline
stages by triggering the blocking manual job.
#### `when:delayed`
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/21767) in GitLab 11.4.
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment