.pre/.post jobs should be optionally allowed in empty pipelines
Problem to solve
In #198518 (closed) functionality was removed to not allow .pre/.post jobs in empty pipelines. However, there are legitimate use cases for leveraging the hidden .pre/.post stages when no pipeline exists.
For example, as a GitLab Ultimate Customer leveraging Compliance Frameworks, I have certain compliance jobs I want to inject that check things like MR Approvals, Protected Branch Settings etc. and will lock projects down if a compliance violation occurs in order to prevent malicious activity in the repository.
Some of our teams do not leverage GitLab CI/CD and MANY of them do. Thusly I need a common way to apply compliance jobs independent of whether a team has CI/CD pipelines or not, and what their stage structure looks like.
Proposal
Re-introduce the ability to run .pre and/or .post jobs even if other pipeline jobs don't exist. This could potentially be gated by a rule to define that the pre/post job should run regardless of if other jobs/stages exist.
compliance-job:
stage: .pre
script:
- do some compliance tuff
rules:
- if: "$CI_EMPTY_PIPELINE == 'true' || $CI_EMPTY_PIPELINE == 'false'"
when: always # if the pipeline is empty, this will evaluate to true and we can run this job anyway. By default CI_EMPTY_PIPELINE can always be when: never in order to prevent a breaking behavior.
Intended users
Any users leveraging .pre/.post jobs. This is specifically more useful for injection of compliance jobs as part of a compliance framework.
Feature Usage Metrics
Does this feature require an audit event?
No