"Pipelines must succeed" checkbox is ignored if CI is skipped
Customers want to use the "Pipelines must succeed" button to enforce a policy that a commit must pass its tests before it can be merged. But it's possible for developers to bypass the policy entirely using CI skipping.
Steps to reproduce
- Create a new project with a README and a simple
- Turn on "Pipelines must succeed"
- Protect the
masterbranch and set "Allowed to Push" to "No One" for
- Create a branch and MR
- In your branch, edit
exit 0to say
exit 1(which is a failure)
- Commit your change with "[skip ci]" as the commit message
- Push your change
- Navigate to the Merge Request. The merge button appears, and it's possible to merge - even though you just broke the build and insisted that Pipelines must succeed.
Here's a CI configuration that will work:
test: script: - exit 0 only: ['merge_requests']
Note While in the steps above I use the
[skip ci] commit message, I assume (have not tested) that the
ci.skip push option would similarly allow a developer to bypass the pipeline success requirement.
What is the current bug behavior?
The Merge button appears in the MR. It can be merged. Even though you set a policy that pipelines must succeed, and the build is completely broken.
What is the expected correct behavior?
A message that says something like:
The pipeline for this merge request was skipped. Please run a successful pipeline on this branch.
The format could be the same as is currently shown when the Pipeline is blocked or failed (see below).
Relevant logs and/or screenshots
The "Pipelines must succeed" button:
The "Merge" button that appears:
The "Blocked" message, which indicates a possible format for the "skipped" message:
The "Failed" message, also to indicate format:
Output of checks
This bug happens on GitLab.com.
Major issue for at least one enterprise customer