Jobs in a restarted pipeline should be associated with the triggering user
Release notes
TBD
Problem to solve
The current handling of a restarted pipeline does not associate the correct username with jobs that are subsequently executed when a job is retried by someone other than the original user who triggered the pipeline. While the retried job is accurately attributed to the "retry user", all other subsequent jobs that run (when the retried job is successful) are still associated with the original user. This makes it difficult from an audit perspective to satisfy the expectation that actions should be traceable back to a single user.
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
Proposal
Change the user of the skipped jobs to match the user retrying a previous job. This means that the job user
would always match who runs the jobs while the pipeline user
matches who creates the jobs when creating the pipeline.
Documentation
Availability & Testing
Further details
Expand for original details when this issue was initially opened as a bug.
Summary
If a job is ran / retired by a user they are properly associated with the event that triggered the run. However, if the job that has been retried is part of a pipeline subsequent jobs/stages that are run after a success remain associated with the original user who triggered the pipeline.
This does not seem ideal as it was the action of the user who retried the job that leads to subsequent jobs being run. For instance, if I cancel a job with a some sort of CD associated with it I may have done so for a reason. I may not want another user (even if they are a developer on the project) from causing a pipeline associated with my user account from continuing to run.
cc: @mterhar
Steps to reproduce
- Create a project with two developers (
userA
&userB
) - Establish a
.gitlab-ci.yml
file with at minimum two stages, with a job in each stage -
userA
triggers a pipeline - Canceled the first job before completion so the second job/stage is never reached
-
userB
retries the first job - After the first job is successful remaining jobs are still associated with the original user (
userA
)
Example Project
.gitlab-ci.yml
- https://gitlab.com/paulbry/runner-scratch/-/blob/pipeline-trigger/.gitlab-ci.yml
Pipe results - https://gitlab.com/paulbry/runner-scratch/pipelines/114966540
What is the expected correct behavior?
If a job fails / canceled by one user and retried by another I would expect that unless I retry subsequent jobs (or the entire pipeline) they should not be run.
Relevant logs and/or screenshots
Note, the screen shot was taken a self-hosted deployment but I've since confirmed that issue exists on GitLab.com as well.
Output of checks
This bug happens on GitLab.com