Allow Secure templates to run in Merge Request only pipelines

Currently our Secure templates only run on branches, but not on Merge Request only pipelines. For example this .gitlab-ci.yml doesn't add any of the requested jobs in Merge Requests:

include:
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: License-Scanning.gitlab-ci.yml
  - template: SAST.gitlab-ci.yml

workflow:
  rules:
    - if: $CI_COMMIT_REF_NAME == "master"
      when: always
    - if: $CI_MERGE_REQUEST_IID
      when: always
    - when: never

In our templates we use rules like e.g.

    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /retire.js/
      exists:
        - 'package.json'

Proposal

Update rules within sectionsec templates to support MR pipelines using the following configuration (as suggested below):

job:
  rules:
    - if: $CI_MERGE_REQUEST_IID    # Add the job to merge request pipelines if there's an open merge request.
    - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
      when: never
    - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.

Implementation plan

Edited Oct 14, 2022 by Lucas Charles