Skip to content

Policy bot comment not posted when latest pipeline has no artifacts but a related pipeline does

Summary

When the latest pipeline for a merge request produces no security artifacts, we call UnenforceablePolicyRulesPipelineNotificationWorker to finalize the policy evaluation (mark scan_result_policy_violations as either failed or warn in case of fail_open).

To determine if pipeline has no security artifacts, we also pull in related pipelines for a given ref (based on merge_request.target_branch).

If a merge request pipeline has no artifacts, but a previous branch pipeline has artifacts, it leads to unexpected behavior:

  • The branch pipeline finished before the MR was created
  • MR is created, requiring artifacts
  • MR pipeline finishes, we skip update of approvals as it doesn't have artifacts
  • We also exit early in UnenforceablePolicyRulesNotificationService
  • As a result, we don't finalize the policy evaluation, leaving merge_request.scan_result_policy_violations in a running state
  • As a result, we don't post the bot comment, so a customer has no explanation why the approvals are required

See more context in https://gitlab.com/gitlab-com/request-for-help/-/issues/2252#note_2344752969.

Steps to reproduce

  1. Create a project
  2. Add .gitlab-ci.yml: 
    workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI_COMMIT_BRANCH

include:
  - template: 'Jobs/Secret-Detection.gitlab-ci.yml'

project-job:
  stage: test
  script: echo "Project job"
  3. Create an approval policy for secret detection
  4. Open MR with an update to README.md. Wait until the branch pipeline for the commit finishes before creating the MR.
  5. Observe that approvals are required, secret_detection ran on the branch pipeline and no bot comment is posted

Example Project

What is the current bug behavior?

Policy approvals are required, but no policy bot comment is created.

What is the expected correct behavior?

If the approvals are required due to missing scanners, the policy bot comment should be created and merge_request.scan_result_policy_violations should be updated to failed.

If the scanners ran, the approvals shouldn't be required and no bot comment should be posted.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Verification steps

  1. Follow the "Steps to reproduce" but verify that approvals are not required
Edited by Martin Cavoj