Renaming of group which PEP CI file refers to leads to 500 errors when loading policies

Summary

When a pipeline execution policy file refers to a non-existent path because a group was renamed, policies fail to load with error 500.

A workaround is to edit the policy.yml directly and fix the paths in content -> include -> file.

Steps to reproduce

Example Project

https://gitlab.com/gitlab-org/security-risk-management/security-policies/team-member-environment/martins-test-group/pipeline-execution-policies/workflow-rules/-/security/policies

What is the current bug behavior?

No pipeline execution policies are loaded in the policy list.

What is the expected correct behavior?

Show the policy in question as invalid instead of failing to load all policies.

Relevant logs and/or screenshots

image

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

  1. Configure the connection with an ID by default in UI/YAML.
diff --git a/ee/app/graphql/resolvers/concerns/construct_security_policies.rb b/ee/app/graphql/resolvers/concerns/construct_security_policies.rb
index 1169484db29d..7faefde6b664 100644
--- a/ee/app/graphql/resolvers/concerns/construct_security_policies.rb
+++ b/ee/app/graphql/resolvers/concerns/construct_security_policies.rb
@@ -124,10 +124,16 @@ def edit_path(policy, type)
   end
 
   def policy_blob_file_path(policy)
-    content_include = policy.dig(:content, :include, 0)
-    project = Project.find_by_full_path(content_include[:project])
+    project = pipeline_execution_policy_content_project(policy)
+    return "" unless project
+
     file = content_include[:file]
     ref = content_include[:ref] || project.default_branch_or_main
     Gitlab::Routing.url_helpers.project_blob_path(project, File.join(ref, file))
   end
+
+  def pipeline_execution_policy_content_project(policy)
+    content_include = policy.dig(:content, :include, 0)
+    Project.find_by_full_path(content_include[:project])
+  end
 end

  1. Warn users if policy config file becomes disconnected (resulting in failing policies).

  2. Continue to support the path to ensure continuity for migration from compliance pipelines.

Edited by Grant Hickman