Make DAST pipelines fork-friendly
Context
There are typically a number of jobs in a pipeline that should only run in the default branch pipeline, but not in commit pipeline or MR pipeline. The obvious example is a production deploy job.
When making changes to how these default-only jobs work - either directly changing the job itself, or changing the way information flows from other jobs - these changes cannot be tested in a typical MR pipeline, since the jobs won't run. The recommended way to test them is to push the changes to a personal fork of the project and run a pipeline there.
Because pushing the same local branch to different branches in different remotes (i.e. pushing local "my-feature-branch" to "origin/my-feature-branch" and also to "personal-fork/main") is manual and error-prone, the simplest thing to do is push to the same branch in the fork, and change that branch to be the default branch before running a pipeline.
Problem
The general approach of running on a fork has a couple of problems:
- The
danger-review
job requires a variableDANGER_GITLAB_API_TOKEN
which is normally inherited from thegitlab-org
group. A personal fork needs to set it to theCI_JOB_TOKEN
variable (or can ignore it if only testing default branch builds, as thedanger-review
job is only running on non-default branches). - The fips test jobs require FIPS-enabled runners, indicated by the
[dast-fips]
tag. A personal fork would have to create its own fips runners.
The dast
project in particular is not friendly to running in a fork, for a few reasons:
- The default branch is hard-coded as "main" instead of using
$CI_DEFAULT_BRANCH
. This prevents the technique described above of changing the default branch in the fork to test default branch pipelines. - It requires the
GITLAB_API_TOKEN
pipeline variable to be set manually in the project instead of using the built-inCI_JOB_TOKEN
. - It requires the
GITLAB_PROJECT_ID
pipeline variable to be set manually in the project for thezap-addons-up-to-date
job.
Proposal
-
Create persistent forks of the DAST projects, to give access to FIPS-enabled runners and inherit the DANGER_GITLAB_API_TOKEN
variable. This also reduces the chances of someone accidentally forking into a publicly visible project.-
dast-chromium
-
browserker
-
dast
-
dast-cwe-checks
-
-
Update the dast
pipeline:-
Use the CI_DEFAULT_BRANCH
variable in place of hard-coded references to the "main" branch. -
Replace uses of GITLAB_API_TOKEN
withCI_JOB_TOKEN
-
Dependent on the outcome of Fix or remove 'zap-addons-up-to-date` job (#409739 - closed): Skip the zap-addons-up-to-date
job ifGITLAB_PROJECT_ID
is not set andCI_PROJECT_ID
is not the maindast
project. This allows a fork to run the job if it needs to (for testing that specific job) by setting theGITLAB_PROJECT_ID
; otherwise the job is not run (with potentially out-of-date code).
-