Allow security reports to be read for pipelines blocked by manual jobs
Aim
This issue aims to solve
- A pipeline has a manual job where the manual job is required to complete for the entire pipeline to be considered as complete
mentioned in #346843 (closed)
as we want to address the manual jobs blockage scenario first based on the discussion in #346843 (comment 1729865302)
Sam: I believe we could greatly simplify this issue if we read security reports for pipelines that are only blocked/incomplete due to manual jobs that have not been run yet. As far as I can tell, that would solve for 95%+ of the user pain points here. If we try to read all blocked/incomplete reports, I could see that causing other problems...
Temporary workaround
We can suggest customers to run the security scans in a child pipeline if they want to see the results before completing a manual job as a temporary solution.. Update: MR widget does not work if security reports are running in child pipelines, so workaround is not recommended. See: #439700
See: #346843 (comment 1749240812)
Implementation
Proposal
- Include
:manual
state also to perform security reports ingestion logic. Similar to !142351 (diffs) - During manual -> success/fail pipeline state transition skip security reports re-ingestion by checking the security jobs using the deduplication relay. See: #346843 (comment 1749240812)
Verification Steps
Verification project: https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs
- Can be setup by importing the verification project above.
- Run a pipeline on the main branch and allow the pipeline to show
blocked status
. - Refresh the same pipeline page and now visit the security tab and we should observe the vulnerabilities being displayed.
- Create an MR from the branch
branch-with-new-vulnerability
that is already imported along with the project which introduces a new vulnerability (See: gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs!1). - Run a new pipeline on the MR and wait for the pipeline state to change to blocked and refresh the MR page and we should observe that the MR security widget is showing one new critical vulnerability being detected.
See MR before and after screenshot images for reference.