Compliance pipeline jobs don't run in a specific situation due to GitLab only checking the project's pipeline configuration
Summary
With these conditions:
- A required
compliance
pipeline configuration that has jobs that can run in branch pipelines. - A
code
project pipeline configuration that only has jobs that run in MR pipelines. (without settingworkflow:rules
)
From my tests, it looks like that when GitLab reads the code
project YAML to run a pipeline, and when it tries to run a branch pipeline, it determines that no jobs are configured to run in that context in the code
project (because all the jobs in the code
project configuration is to run in MRs).
So it would seem that GitLab does not take into account the compliance
pipeline configuration when it performs that check.
Steps to reproduce
- Create a new group called
toplevelgroup
. - Create new project called
compliance
under this group. - Inside this project, create a
.gitlab-ci.yml
with the contents:
include:
- project: '$CI_PROJECT_PATH'
ref: '$CI_COMMIT_BRANCH$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME$CI_COMMIT_TAG'
file: '$CI_CONFIG_PATH'
compliance_job:
stage: .pre
script:
- echo 'This is the compliance job...1'
rules:
- when: always
- Navigate to the
toplevelgroup
group Settings ->General
->Compliance frameworks
- Add a new compliance framework with any name. (Let's call ours
compliance
)- For the path to a compliance pipeline, point it to the
.gitlab-ci.yml
we created earlier. For example,.gitlab-ci.yml@toplevelgroup/compliance
- For the path to a compliance pipeline, point it to the
- Create new project called
code
under thetoplevelgroup
group. - Navigate to the
code
projects Settings ->General
->Compliance framework
. Select ourcompliance
framework we created. - Inside this project, create a
.gitlab-ci.yml
with the contents:
job_one:
stage: build
script:
- echo 'This is the build job'
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- Note that no branch pipeline gets created after commiting the
.gitlab-ci.yml
(we would expect a pipeline to run thecompliance_job
in the.pre
stage) - Attempt to run a manual pipeline on the branch. We see this error:
Pipeline cannot be run.
Pipeline will not run for the selected trigger. The rules configuration prevented any jobs from being added to the pipeline.
- Attempt to create a new MR in the
code
project. - Notice a pipeline will now run with two jobs,
compliance_job
in the.pre
stage, andjob_one
in the build stage.
What is the current bug behavior?
When GitLab checks the pipeline configuration, it doesn't take into account the jobs in the compliance pipeline.
What is the expected correct behavior?
When GitLab checks the pipeline configuration, it takes into account the jobs in the compliance pipeline.
Output of checks
This bug happens on GitLab.com - GitLab Enterprise Edition 16.0.0-pre d170b157 I also managed to reproduce this on a test instance running 15.11.2-ee