Security Configuration and project pages show info alert about Auto DevOps when a custom CI/CD config file has been specified
Summary
When the name of the CI/CD configuration file is customized, and a CI/CD file exists with the custom name, the landing page and Security Configuration page for a project incorrectly shows an Enable Auto-Devops button, and the Security Configuration page doesn't show a Configuration history link as it should.
For example, assuming that the CI/CD configuration file is set to .gitlab-ci-test.yml
:
And a .gitlab-ci-test.yml
file exists:
-
Project page:
- Enable Auto-Devops button is displayed, however, it should not be displayed
-
Configuration page:
- Enable Auto-Devops button is displayed, however, it should not be displayed
-
Configuration history link is not displayed, however, it should be displayed, and it should link to the history of the
.gitlab-ci-test.yml
file
Steps to reproduce
-
customize CI/CD configuration file, for example, set it to
.gitlab-ci-test.yml
-
Create a CI/CD config file with the same name from step
2.
, for example.gitlab-ci-test.yml
:test: script: - echo "TEST"
-
View the project landing page, for example: https://gitlab.com/adamcohen/342465
- the Enable Auto-Devops button is displayed, but it should not be shown
-
View the Security Configuration page, for example: https://gitlab.com/adamcohen/342465/-/security/configuration
- the Enable Auto-Devops button is displayed, but it should not be shown
- the Configuration history link is not displayed, however, it should be displayed, and it should link to the
.gitlab-ci-test.yml
file
Example Project
It's not possible to provide an example project because the security configuration options will only be displayed for the owner/maintainer of the project
What is the current bug behavior?
What is the expected correct behavior?
If the CI/CD configuration file is customized to a file that exists in the repo, then the following should happen:
- On the project landing page and Security Configuration page, the Enable Auto-Devops button should not be displayed
- On the Security Configuration page, the Configuration history link should be displayed, and it should link to the
.gitlab-ci-test.yml
file
Related issues
See here for the initial discussion of this edge case.
See here for more in-depth discussion about possible fixes for this bug
Possible fixes
-
Add a method such as the following to app/models/project.rb:
def ci_config_file_path # if the ci_config_path is blank, the user has not overridden this value with a custom CI/CD config file name if ci_config_path.blank? # check to see if a .gitlab-ci.yml file exists in the repo, return empty string if no such file exists return "" if repository.gitlab_ci_yml.blank? # a .gitlab-ci.yml file exists, return the path to it. Could also just return # Gitlab::FileDetector::PATTERNS[:gitlab_ci] since the ci_config_path was not # overridden, so this value should be set to the default return repository.gitlab_ci_yml.path end # the ci_config_path value has been customized, check to see if a file matching the custom CI/CD # config file exists found_files = repository.search_files_by_wildcard_path(ci_config_path, "HEAD") # no such file exists in the repo return "" if found_files.blank? # multiple matching files were found, return the first match found_files.first end def explicit_gitlab_ci_file_present? ci_config_file_path.present? end
-
Confirm that searching for a
ci_config_path
file usingsearch_files_by_wildcard_path
in step1.
is the correct approach.We can't use
repository.gitlab_ci_yml
in theci_config_file_path
method added in step1.
, because it doesn't take into account custom CI/CD configuration file values. This is due to the fact that the path to thegitlab_ci_yml
file used in theRepository
class is hardcoded to point to.gitlab-ci.yml
. Because of this, we need to use the general purposesearch_files_by_wildcard_path
method.I don't think we can use the search_files_by_name method because it escapes special characters. For example instead of searching for
README.md
, it'll search forREADME\\.md
which won't work.We might also be able to use the blob_at method.
Whatever method we use here, we need to be aware of possible efficiency concerns, since the
repository.gitlab_ci_yml
method was able to usecache_method :gitlab_ci_yml
, meanwhilerepository_search_files_by_wildcard_path()
does not.There also might be some security concerns with using
repository_search_files_by_wildcard_path()
to search across the entire repo.We also need to be aware that
repository_search_files_by_wildcard_path()
will return multiple matches, so we need to make sure to return the correct matching file. -
Determine if the code in app/helpers/projects_helper.rb and app/helpers/auto_devops_helper.rb which currently make reference to
project.repository.gitlab_ci_yml
should use this new method, and if so, make this change. -
Update the reference to gitlab_ci_present to use the
explicit_gitlab_ci_file_present?
method added in step1.
can_toggle_auto_fix_settings: auto_fix_permission, - gitlab_ci_present: project.uses_default_ci_config?, + gitlab_ci_present: project.explicit_gitlab_ci_file_present?, gitlab_ci_history_path: gitlab_ci_history_path, } end
-
Update the code for the gitlab_ci_history_path to make sure that it now points to the correct
gitlab_ci_config_path
, taking into account any custom CI/CD configuration file setting:def gitlab_ci_history_path return '' if project.empty_repo? - gitlab_ci = Gitlab::FileDetector::PATTERNS[:gitlab_ci] - Gitlab::Routing.url_helpers.project_blame_path(project, File.join(project.default_branch_or_main, gitlab_ci)) + Gitlab::Routing.url_helpers.project_blame_path(project, File.join(project.default_branch_or_main, project.ci_config_file_path)) end
-
Add tests for all of the above changes
-
Add E2E tests for the above behaviour, similar to how this is handled in Security Configuration History is not present on empty CI, is set once CI has been populated