Notice: API Discovery will use branch pipelines by default

GitLab customers with an active subscriptions can reach out to GitLab Support when encountering unexpected problems with this change.

---

Deprecation Summary

In GitLab 18.0, we'll update the default behavior of the CI/CD template for API Discovery (API-Discovery.gitlab-ci.yml).

Before GitLab 18.0, this template configures jobs to run in merge request (MR) pipelines by default when an MR is open. Starting in GitLab 18.0, we'll align this template's behavior with the behavior of the Stable template editions for other AST scanners:

• By default, the template will run scan jobs in branch pipelines.
• You'll be able to set the CI/CD variable AST_ENABLE_MR_PIPELINES: true to use MR pipelines instead when an MR is open. The implementation of this new variable is tracked in issue 410880.

Notes:

1. This is the only breaking change for MR pipeline support in Sec templates (#410880 - closed).
2. API Discovery is a Beta feature.

Documentation

• Deprecation notice: !181047 (merged)
• Migration guidelines: See announcement and Breaking change? section below.

Product Usage

Describe why deprecation of this feature is necessary, ideally with dashboards/metrics that show product usage.

See #410880 (comment 2339958849). This is the least-friction path to resolve a longstanding customer complaint regarding the inability to run AST scanners in MR pipelines.

Breaking Change?

Does this deprecation contain a breaking change? Yes, but only for customers who 1. use API Discovery, 2. need that job to run in a branch pipeline.

If such customers need to keep API Discovery in MR pipelines, they should add the CI/CD variable AST_ENABLE_MR_PIPELINES: true to maintain the current behavior. Note that this variable can be added before 18.0.

Affected Customers

Who is affected by this deprecation: GitLab.com users, Self-managed users, or Dedicated users? (choose all that apply)

• GitLab.com
• Self-managed
• Dedicated

What pricing tiers are impacted?

• GitLab Free
• GitLab Premium
• GitLab Ultimate

• Internal note outlining details of customer impact has been created. #515487 (comment 2343120470)

Deprecation Milestone

This deprecation will be announced in milestone: 17.9

Planned Removal Milestone

The feature / functionality will be removed in milestone: 18.0

Links

Checklists

Timeline

Rollout Plan

• DRI Engineers: @gonzoyumo @mbenayoun

• DRI Engineering Manager: @twoodham

• Describe rollout plans on GitLab.com

  • During the breaking change window 1 of 18.0, the following changes will be applied:
    • the Dependency-Scanning.gitlab-ci.yml CI template will be updated to support MR pipelines
    • the SAST.gitlab-ci.yml CI template will be updated to support MR pipelines
    • the DAST.gitlab-ci.yml CI template will be updated to support MR pipelines
    • the Secret-Detection.gitlab-ci.yml CI template will be updated to support MR pipelines
    • the Container-Scanning.gitlab-ci.yml CI template will be updated to support MR pipelines
    • the Container-Scanning.branch.gitlab-ci.yml CI template will be added and will not support MR pipelines
    • the Auto-DevOps.gitlab-ci.yml CI template will be updated to:
      • replace the inclusion of Container-Scanning.gitlab-ci.yml with Container-Scanning.branch.gitlab-ci.yml
      • remove the inclusion of DAST.gitlab-ci.yml

• Determine how to migrate users still using the existing functionality

  • All GitLab.com customers will automatically migrate to use these changes start using it as soon as the deployement is done. There is no partial rollout for the CI template. There is no Feature Flag available for this change.
  • Self-managed and Dedicated customers will only be impacted when upgrading their instance to GitLab 18.0

• Document ways to migrate with the tooling available

  • There is no migration tooling available.

• Automate any users who have not yet migrated, but ensure it's a two-way door decision

  • Not applicable. Customers who have customized their CI configuration and have overridden the rules of the CI/CD jobs used by GitLab security feature may need to manually adjust it.

Communication Plan

• DRI Product Manager: @connorgilbert

An internal slack post and a release post are not sufficient notification for our customers or internal stakeholders. Plan to communicate proactively and directly with affected customers and the internal stakeholders supporting them.

Internal Communication Plan

• Create an internal note in the comment thread of this issue with a comprehensive narrative of customer impacts, with the intended audience of internal stakeholders who directly interact with customers.
  • Consider: what will the CSM / AE / SA teams need to tell their customers? What will they want to know about customer sentiment and impact?
  • If customers must take an action, include in this internal note the following information: what action is needed, the steps they can take to complete it, the due date for that action, and the consequences of not completing the action in time.
• Internal announcement plan (timeline for notifications, audience, channels, etc)
• Support and enablement plan
  • Support readiness: Document how the support team should handle tickets related to this deprecation / breaking change.
  • Customer Success readiness: Ensure the CS team knows how to bring questions or concerns from clients to the right internal team members.

External Communication Plan

• Customer announcement plan (timeline for notifications, audience, channels, etc)
• Ensure you have approvals from legal and corp comms for any communication being sent directly to customers.
• As soon as possible, but no later than the third milestone preceding the major release, ensure that the following are complete (for example, given the following release schedule: 17.8, 17.9, 17.10, 17.11, 18.0 – 17.9 is the third milestone preceding the major release).
  • A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. Add link to the relevant merge request.
  • Documentation has been updated to mark the feature as deprecated. Add link to the relevant merge request.
• On the major milestone:
  • The deprecated item has been removed. Add link to the relevant merge request.
  • If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
  • Document the migration plan for users, clearly outlining the actions they need to take to mitigate the impact of the breaking change.
    • Add link

Development

• DRI Engineers: @gonzoyumo @mbenayoun

• DRI Engineering Manager: @twoodham

• Measure usage of the impacted product feature

  • Evaluate metrics across GitLab.com, Self-Managed, Dedicated
  • add issue link
  • list any metrics and/or dashboards

• Create tooling for customers to manually migrate their data or workflows

  • add issue link

• Build mechanism for users to manually enable the breaking change ahead of time

  • add issue link

• Automate the migration for those who do not take any manual steps (ensure the automation can be reverted)

  • add issue link

• Develop rollout plan of breaking change on GitLab.com

  • add feature flag rollout issue

• Dogfood the changes on GitLab.com or a Self-Managed test instance

  • add issue link

• (Optional) Create UI controls for instance admins to disable the breaking change, providing flexibility to Self-Managed / Dedicated customers. Optional as this depends on the breaking change.

  • add issue link

Approvals

• Product Manager @connorgilbert
• Engineering Manager @EM
• Senior Engineering Manager / Director @twoodham
• Group / Director of Product Management @sarahwaldner
• Product / Eng Leaders in the CPO or CTO organizations, as applicable (optional - depends on scope of change)

Editorial comment

Keep in mind that approval check boxes and deprecations notices alone are not sufficient communication about breaking changes. Despite having approvals documented here, the PM/EM will still need to take active steps to partner with internal stakeholders and customers to ensure a positive user experience.

Stakeholder Mentions

• Product Designer - N/A
• Tech Writer @rdickenson
• Software Engineering in Test @willmeek
• Any other stable counterparts based on the product categories:
  • Add Sales/CS counterpart or mention @timtams
  • Add Support counterpart or mention @gitlab-com/support/managers
  • Add Marketing counterpart or mention @martin_klaus - @sladha
  • Add Corp comms if direct customer comms are needed @jmalleo
  • Add Product Security counterpart, if relevant to your deprecation
  • Mention (in internal note) Customer Success Managers / Acount Managers / Solutions Architects for impacted customers

Labels

• This issue is labeled deprecation, and with the relevant ~devops::, ~group::, and ~Category: labels.
• This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.

References

• Deprecations, removals, and breaking changes
• Deprecation guidelines
• Deprecations and removals doc styleguide
• REST API Deprecations and REST API breaking changes.
• GraphQL Deprecations and GraphQL API breaking changes.
• GitLab release and maintenance policy
• Videos 📺
  • How to deprecate and remove features in GitLab releases
  • Review of GitLab deprecations and removals policy & Runner team deprecations and removals process