PEPs cannot inject configuration into project pipelines
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
With compliance pipelines a user can use them to inject configuration, jobs, variables, flow logic, workflow definitions and more. Compliance pipelines can be used as a decorator around all downstream pipelines for the purpose of enforcing common component usage.
By design PEPs cannot inject configuration into project pipelines, since PEP jobs run in their own context. The removal in version 18 means that this functionality will stop working on May 25, 2025.
Example
We create compliance framework 'A' that run the following compliance pipeline:
include:
- project: mr-group/project/global-pipeline-templates # Include Pipeline Components
ref: main
file: 'Application.gitlab-ci.yml'The included file sets a pipeline variable IMAGE_REGISTRY
We also want to run PEP that runs the secret scanners Ex:
include:
- template: Jobs/Secret-Detection.latest.gitlab-ci.ymlIf we apply BOTH the above compliance framework and PEP to a project this we observe the following:
- All project jobs are duplicated
- PEP jobs do not run
If we apply only the PEP only
- PEP runs secret scans
- project pipeline runs but fails due to global var dependency
if we apply only the compliance framework only
- Global var is set
- pipeline runs normally
We want both the global var to be set as well as the secret scanners to run. Currently we accomplish this by including all in a compliance pipeline.
We cannot include the contents of compliance pipeline A in a PEP since the pipeline variable will not be readable.