Secret Push Protection testing - push rule not invoked when not pushed from user's remote

From slack conversation:

We'd like to ideally set up E2E testing for all workflows that may invoke Secret Push Protection via a push rule ( https://docs.gitlab.com/ee/user/project/repository/push_rules.html ), such as a Merge Trains, syncing repositories, etc.

Secret Push Protection should only be invoked when code is pushed from a user's machine to a remote repo. We're looking to disable this for all other workflows, but we're not quite sure on how many others might be in scope of this change.

So the E2E tests that we'd look for would effectively:

Run the workflow

Ensure SPP is not invoked as one of the push rules.

Fail the test if it does.

Current E2E test tests that push from user's machine catches secret - note the secret is lightly obfuscated in the test code - https://gitlab.com/gitlab-org/gitlab/-/blob/master/qa/qa/specs/features/ee/browser_ui/13_secure/secret_push_protection_spec.rb#L15

cc @amarpatel

Edited Sep 26, 2025 by 🤖 GitLab Bot 🤖