Document how to protect manual jobs
Teams need to create manual jobs to do things like deployments, or to implement approvals, but it's not obvious how to prevent just anyone from running the action, indicating their approval or actually running the deployment. It's actually possible using protected environments, letting you set the approval list for a job to only be the users associated with that environment, but this needs to be documented better.
Add documentation specifically about how to restrict manual jobs, and mention the deploy and approve use cases. To protect a manual job, you need to add the
deploy_prod: stage: deploy script: - echo "Deploy to production server" environment: name: production url: https://example.com when: manual only: - master
Then, configure the environment as protected and allow maintainers/developers or individual users with at least developer access to click on it:
An approval job could be implemented in a similar way, it would have no action itself in its script section, but you could structure your stages/DAG such that the pipeline does not proceed past a point until the manual job with the appropriate environment approval has been run. The documentation update should reference approval jobs by name so it's easy to find the solution for this use case.
We should also reference the new documentation being written for https://gitlab.com/gitlab-org/gitlab-ee/issues/15632 from here, since some users who protect their manual jobs in this way may also want to protect their pipelines.