Cache keyword depends on tag protection
Summary
In reference to customer ticket: 353644 (internal)
In this existing issue, cache suffixes were causing mistaken cache misses when not using the same cache for both protected and unprotected branches and the suffix was inconsistent across job runs.
In the case tested in this issue, using ${CI_COMMIT_TAG}
as the pipeline trigger, the protection status is decided by the tag's protection status. The pipeline 0.26.1
being triggered by an unprotected tag results in the cache key suffix being -non_protected
despite being run on the protected branch main
.
Steps to reproduce
For this test there is a wildcard tag protection rule set for '*.0'
. When the following job is run for both the tags, 0.26.0
and 0.26.1
, the cache key differs between the two runs.
The cache from the 0.26.0
pipeline has the suffix -protected
whereas the cache from the 0.26.1
pipeline has the suffix -non_protected
.
If a cache key for a pull policy was used with the same construction, the pipeline for 0.26.1
would therefore not be able to find the cached artifacts.
.gitlab-ci.yml
.version_update:
image: alpine:latest
variables:
VERSION_TAG: "<VersionTag>"
# Requires package.json in root of the repository
cache:
key: "${CI_PROJECT_NAME}-version"
paths:
- "package.json"
policy: push
script:
- sed -i "s/\"version\".*/\"version\" :\"${VERSION_TAG}\",/" package.json
- echo "Set version in package.json to ${VERSION_TAG} in ${CI_PROJECT_NAME}"
release-version-app:
stage: build
extends: .version_update
variables:
VERSION_TAG: '${CI_COMMIT_TAG}'
cache:
key: '${CI_PROJECT_NAME}-version'
paths:
- 'package.json'
policy: push
rules:
- if: $CI_COMMIT_TAG
Relevant logs and/or screenshots
job log
0.26.0
Running with gitlab-runner 15.1.0 (76984217)
on myRunner 9aS-yozG
Preparing the "docker" executor
00:02
Using Docker executor with image alpine:latest ...
Pulling docker image alpine:latest ...
Using docker image sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 for alpine:latest with digest alpine@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a ...
Preparing environment
00:00
Running on runner-9as-yozg-project-4-concurrent-0 via gss-vm-runner-latest-ubuntu-01...
Getting source from Git repository
00:01
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/gitlab-instance-90400fe5/353644-test/.git/
Checking out 8f6f8634 as 0.26.0...
Skipping Git submodules setup
Restoring cache
00:01
Not downloading cache 353644-test-version-protected due to policy
Executing "step_script" stage of the job script
00:00
Using docker image sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 for alpine:latest with digest alpine@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a ...
$ sed -i "s/\"version\".*/\"version\" :\"${VERSION_TAG}\",/" package.json
$ echo "Set version in package.json to ${VERSION_TAG} in ${CI_PROJECT_NAME}"
Set version in package.json to 0.26.0 in 353644-test
Saving cache for successful job
00:01
Creating cache 353644-test-version-protected...
package.json: found 1 matching files and directories
No URL provided, cache will not be uploaded to shared cache server. Cache will be stored only locally.
Created cache
Job succeeded
0.26.1
Running with gitlab-runner 15.1.0 (76984217)
on myRunner 9aS-yozG
Preparing the "docker" executor
00:01
Using Docker executor with image alpine:latest ...
Pulling docker image alpine:latest ...
Using docker image sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 for alpine:latest with digest alpine@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a ...
Preparing environment
00:01
Running on runner-9as-yozg-project-4-concurrent-0 via gss-vm-runner-latest-ubuntu-01...
Getting source from Git repository
00:01
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/gitlab-instance-90400fe5/353644-test/.git/
Checking out 8f6f8634 as 0.26.1...
Skipping Git submodules setup
Restoring cache
00:00
Not downloading cache 353644-test-version-non_protected due to policy
Executing "step_script" stage of the job script
00:01
Using docker image sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 for alpine:latest with digest alpine@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a ...
$ sed -i "s/\"version\".*/\"version\" :\"${VERSION_TAG}\",/" package.json
$ echo "Set version in package.json to ${VERSION_TAG} in ${CI_PROJECT_NAME}"
Set version in package.json to 0.26.1 in 353644-test
Saving cache for successful job
00:00
Creating cache 353644-test-version-non_protected...
package.json: found 1 matching files and directories
No URL provided, cache will not be uploaded to shared cache server. Cache will be stored only locally.
Created cache
Job succeeded
Used GitLab Runner version
15.1.0
Possible fixes
-
Updating the CI/CD Keyword documentation to reflect how different triggers may affect the protection status of pipelines run on the project.
-
If tag protection should not affect the protection status of jobs run on a protected branch, then this bug might need to be resolved by altering how the protection reference for a pipeline is decided.