Backend: Predefined variable CI_COMMIT_REF_PROTECTED wrong value for merge request

Summary

I would like to disable merge request pipeline when merge from protected branches e.g. from develop branch to staging branch. I use feature flag strategy so do not need this.

The problem is that CI_COMMIT_REF_PROTECTED has the wrong value (false).

Steps to reproduce

Create new repo
Add two branches e.g. main, staging
Mark both branches as protected
Add simple .gitlab-ci.yml like:

repro:
  script:
    - env | grep 'CI_COMMIT_REF_PROTECTED\|CI_COMMIT_REF_NAME\|CI_MERGE_REQUEST_TARGET_BRANCH_PROTECTED\|CI_MERGE_REQUEST_TARGET_BRANCH_NAME'
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'

Create merge request staging -> main
Check logs for merge request pipeline: CI_COMMIT_REF_PROTECTED will be false

Reproduced on GitLab.com: https://gitlab.com/gl-demo-ultimate-mgrabowski/mg-gold/zd-373435 See Add README.md (gl-demo-ultimate-mgrabowski/mg-gold/zd-373435!4 - closed) and compare output of branch pipeline vs. merge request pipeline.

User Impact

Users wishing to use CI_COMMIT_REF_PROTECTED are unable to as it returns the wrong value.

Proposal

Modify pipeline#protected_ref? to render the correct value

def protected_ref?
-  strong_memoize(:protected_ref) { project.protected_for?(git_ref) }
+  strong_memoize(:protected_ref) { project.protected_for?(source_ref_path) }
end

Edited Jul 10, 2024 by Max Orefice