Environment.action: prepare should require the same approvals that start requires

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Problem to solve

As a Release Manager, I want to make sure that no job can access the systems I control without the necessary approvals.

The environment.action CI attribute has 5 valid values:

  • start (default)
  • stop
  • prepare
  • access
  • verify

We learned that prepare/access/verify are identical in terms of behaviour. At the same time, there are various requests asking for different behaviour in different use cases. We want to provide the following setup:

require approval \ reset timer reset timer reset timer
approval verify access
approval prepare

Proposal

Change the logic of prepare so that it will require the same approvals as start. There should be no need to approve both start and prepare separately. Approving either one should allow both.

As approvals are a GitLab Premium feature, prepare would be available in GitLab Premium only. This does not mean that we are changing its tier, as the same functionality will remain in GitLab Free with environment.action: access.

Design proposal

image

Implementation plan

backend

  1. Modify ProtectedEnvironments::ApprovalRule database table. Remove NOT NULL on deployment_id and add a new column to link the job (with relevant indexes/constraints). And update Deployments::Approval model. (See #437132 (comment 2389658760))
  2. Update prepare jobs to require approvals, same as start jobs.
  3. Fill in the deployment ID once it is created.
  4. Mark the job to be approved once either start or prepare job was approved.
  5. Return a list of jobs that need an approval through GraphQL for frontend use. We would need to add a new GraphQL query for this, and it could be tricky. (See #437132 (comment 2391683450))

frontend

  1. Create a new tab - "Pending approvals" on the environment show page
  2. Use the new resolver to get data
  3. Render the data similarly to how it's done on the "Deployment history" tab

Intended users

Feature Usage Metrics

  • MAU of environment.action: prepare jobs

Does this feature require an audit event?

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖