[backend] Inject pipeline execution policy jobs into pipelines
We are adding a new policy type Pipeline execution policy to enforce custom CI jobs on projects. More details in &13266.
The schema for the new type will be added in #452379 (closed)
The new policy can inject jobs into project pipelines.
Workflow rules can control if the pipeline execution policy jobs should run. To make this work we have to evaluate project CI workflow rules and pipeline execution policy workflow rules seperately and make sure that:
- If both, pipeline execution policy workflow rules and project CI workflow rules pass. Inject policy jobs into the pipeline and run it.
- If pipeline execution policy workflow rules don't pass, continue with only project CI jobs.
- If pipeline execution policy workflow rules pass but project CI workflow rules don't pass. Continue with only pipeline execution policy jobs.
Schema examples:
Secret detection:
name: "Secret detection"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
workflow:
rules:
- if: $CI_COMMIT_REF_PROTECTED == false || $CI_COMMIT_REF_NAME == 'main'
when: never
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
Using a config file:
name: "Ci config file"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
include:
project: pipeline-execution-policy/security-policy-project
file: ci.yml
Implementation plan
We want to enforce the policy as part of the pipeline create sequence. This was discussed in a pairing session: https://www.youtube.com/watch?v=p0JL-xrgWy0
The feature should be added behind a feature flag and the pipeline execution experiment (project.group.namespace_settings.toggle_security_policy_custom_ci?