Skip to content

Spike: Investigate Optional Control of Variables in Pipeline Execution Policies

Time-window: 5 days

Description

This spike aims to explore the feasibility and potential implementation of optional control over variables when pipeline execution policies (PEP) are enforced. The goal is to address the current limitations and provide more flexibility for users while maintaining security and compliance requirements.

Objectives

  1. Analyze the current behavior of variable precedence in PEP-enforced pipelines.
  2. Investigate the impact on different types of variables (global, job-level, CI/CD settings, scheduled pipelines, etc.).
  3. Explore potential solutions for allowing granular control over variable precedence.
  4. Consider the implications for existing compliance pipeline users migrating to PEP.

Implications

  1. Identify use cases where the current behavior causes issues (e.g., overriding CI/CD variables, scheduled pipeline variables).
  2. Research possible implementation approaches for: a. Global deny list for variables that should not be overridden. b. Per-job control of variable locking and precedence. c. Allowing specific variables to be modified while enforcing others.
  3. Evaluate the impact of proposed changes on existing PEP functionality and user experience.
  4. Consider security implications of allowing variable modifications in policy-enforced pipelines.

Expected Outcomes

  1. A brief summary of the current variable precedence behavior in PEP-enforced pipelines.
  2. A list of potential risks associated with implementing optional control of variables.
  3. A Merge Request (MR) containing a Proof of Concept (PoC) demonstrating the proposed solution.
  4. A detailed comment in the MR summarizing:
    • Proposed changes (high-level architecture changes)
    • Potential YAML syntax for defining variable control in Pipeline Execution Policy YAML
    • Recommendations and next steps
    • An implementation roadmap
  5. An initial discussion thread with the Verify team to gather feedback and align on the proposed approach.

This spike will help us understand the technical feasibility and potential approaches for implementing optional control of variables in pipeline execution policies, addressing the needs of users migrating from compliance pipelines and providing more flexibility in variable management while maintaining security and compliance requirements.

Edited by Alan (Maciej) Paruszewski