Manual jobs that weren't manually triggered stack up on the protected environments page for approval
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
We use when: manual to make deployment jobs manual actions, and we have a "prod" environment that we mark for protection with a single approval. However, deployment jobs to the protected environment appear to stack themselves up for approval without waiting for manual triggering.
Steps to reproduce
- Make a pipeline
- Make a deploy job with
when: manual - Protect the environment that the deploy job targets
- Run pipeline
- Observe that deployment job does not have a Play button, and there is a pending approval on the Environments page
- Run the pipeline again, observe that the Environments page now shows the newer deploy job for approval instead
Example Project
What is the current bug behavior?
We first identified this problem in one of our private projects, and we actually saw that it was exhibiting the auto-run and stacking behavior only after a prod deploy had already been manually triggered. This was actually even more dangerous, because the workflow then was a developer would queue a prod deploy, then notify a leader that it was waiting for approval, and then the leader would go blindly approve the deployment pending for Prod not realizing that it had been replaced with a newer pipeline running off a feature branch.
When setting up a demo project to report this issue, I wasn't able to get the exact same behavior going - seemingly every deployment regardless of the project state would ignore the when: manual and automatically go for approval. I haven't identified the key difference that would cause this change in behavior, but this is still a bug in my opinion - I would expect when: manual to be respected regardless of the Protected Env + approvals process.
What is the expected correct behavior?
I would expect a play button to still appear on the manual deployment job. I would expect that the job only show up for approval on the Environments page after being manually triggered.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)