exists: condition in Pipeline Execution Policy include: rules not working as expected

Summary

The exists: condition in the include: rules of a Pipeline Execution Policy (PEP) is not functioning correctly. It appears to always evaluate to false, even when the specified file exists in the target project.

Steps to reproduce

Create a Pipeline Execution Policy using the override_project_ci strategy, referencing a CI config with include:. For example include the project CI

include:
  - project: $CI_PROJECT_PATH
    ref: $CI_COMMIT_SHA
    file: $CI_CONFIG_PATH
    rules:
      - exists:
          - Dockerfile

Create a project that has a working .gitlab-ci.yml and a file called Dockerfile
Make sure the policy applies to this project
Run a pipeline, it should fail because the exists condition evaluates to false the include is not loaded.

Example Project

https://gitlab.com/gitlab-org/security-risk-management/security-policies/team-member-environment/andys-test-group/reproduce-issue-525060/test

What is the expected correct behavior?

The exists: condition should evaluate to true when the specified file exists in the target project, allowing the include: to proceed.

Possible Workarounds

Currently, users may need to create separate policies for projects with and without the target file (e.g., .gitlab-ci.yml).

Additional Context

Related Slack conversation (internal, good for 90 days): https://gitlab.slack.com/archives/CU9V380HW/p1741821371985299
This issue may be reminiscent of a similar problem with compliance pipelines in the past.

cc @jbcrawford

Edited Mar 14, 2025 by Andy Schoenen