New pipeline is created for merge requests containing only manual steps

Summary

The bug occurs on gitlab.com and self-hosted v. 16.11ee: (edit: probably not introduced in 16.11)

Normally, when a merge request is created in a branch with a pipeline that doesn't have any special "merge request" jobs, the merge request shows the link to the latest commit pipeline, and wait for this to complete successfully before merging was allowed. This is the case when there are no manual steps, or when the "when:manual" clause is not under "rules". However, if there is a "when:manual" clause under "rules", then this manual step becomes the whole merge request-pipeline. If the manual step is not mandatory, this allows the merge request to be merged right away, even if the commit pipeline has failed.

Steps to reproduce

Create a new project
Create a new branch in the project
Add a .gitlab-ci.yml file with two jobs, one automatic and one manual. Let the automatic job fail
Create a merge request

Required .gitlab-ci.yml:

stages:          # List of stages for jobs, and their order of execution
  - test
  - deploy


unit-test-job:   # This job runs in the test stage.
  stage: test    # It only starts when the job in the build stage completes successfully.
  script:
    - echo "Running unit tests... This will fail"
    - "false"


deploy-job:      # This job runs in the deploy stage.
  stage: deploy  # It only runs when *both* jobs in the test stage complete successfully.
  environment: production
  script:
    - echo "Deploying application..."
    - echo "Application successfully deployed."
  rules:
    - when: manual
      allow_failure: true

Example Project

oyvindlr/merge-request-bug!1

What is the current bug behavior?

In the merge request, you will now see "pipeline skipped". A new pipleline for the merge request has been created, containing only the manual step. This pipeline "succeeded" since it only has one manual step and that step allows failure. If you don't allow failure, the same thing happens except that the merge request says "waiting for manual action".

You are allowed to merge the branch into main immediately, even though the commit pipeline failed.

Note also that this only happens if "when: manual" is under "rules", not if it is under the job top level.

What is the expected correct behavior?

The commit pipeline should act as the merge-request pipeline. This correct behaviour occurs if you use "when: manual" under the top level of the job rather than under "rules"

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Edited May 07, 2024 by Øyvind Rørtveit