Compliance pipeline jobs don't run in a specific situation due to GitLab only checking the project's pipeline configuration

Summary

With these conditions:

  • A required compliance pipeline configuration that has jobs that can run in branch pipelines.
  • A code project pipeline configuration that only has jobs that run in MR pipelines. (without setting workflow:rules)

From my tests, it looks like that when GitLab reads the code project YAML to run a pipeline, and when it tries to run a branch pipeline, it determines that no jobs are configured to run in that context in the code project (because all the jobs in the code project configuration is to run in MRs).

So it would seem that GitLab does not take into account the compliance pipeline configuration when it performs that check.

Steps to reproduce

  • Create a new group called toplevelgroup.
  • Create new project called compliance under this group.
  • Inside this project, create a .gitlab-ci.yml with the contents:
include:
  - project: '$CI_PROJECT_PATH'
    ref: '$CI_COMMIT_BRANCH$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME$CI_COMMIT_TAG'
    file: '$CI_CONFIG_PATH'

compliance_job:
  stage: .pre
  script:
    - echo 'This is the compliance job...1'
  rules:
    - when: always
  • Navigate to the toplevelgroup group Settings -> General -> Compliance frameworks
  • Add a new compliance framework with any name. (Let's call ours compliance)
    • For the path to a compliance pipeline, point it to the .gitlab-ci.yml we created earlier. For example, .gitlab-ci.yml@toplevelgroup/compliance
  • Create new project called code under the toplevelgroup group.
  • Navigate to the code projects Settings -> General -> Compliance framework. Select our compliance framework we created.
  • Inside this project, create a .gitlab-ci.yml with the contents:
job_one:
  stage: build
  script:
    - echo 'This is the build job'
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  • Note that no branch pipeline gets created after commiting the .gitlab-ci.yml (we would expect a pipeline to run the compliance_job in the .pre stage)
  • Attempt to run a manual pipeline on the branch. We see this error:
Pipeline cannot be run.
Pipeline will not run for the selected trigger. The rules configuration prevented any jobs from being added to the pipeline.
  • Attempt to create a new MR in the code project.
  • Notice a pipeline will now run with two jobs, compliance_job in the .pre stage, and job_one in the build stage.

What is the current bug behavior?

When GitLab checks the pipeline configuration, it doesn't take into account the jobs in the compliance pipeline.

What is the expected correct behavior?

When GitLab checks the pipeline configuration, it takes into account the jobs in the compliance pipeline.

Output of checks

This bug happens on GitLab.com - GitLab Enterprise Edition 16.0.0-pre d170b157 I also managed to reproduce this on a test instance running 15.11.2-ee