Skip to content

Docs example: force merge pipelines to re-run if they're older than ABC before merge

Problem to solve

Is there a way to force merge pipelines to re-run if they're older than X days before approval/merging?

Further details

Captured in Slack from @kmcknight: https://gitlab.slack.com/archives/C0787G6B681/p1745348403556089?thread_ts=1745339101.303759&cid=C0787G6B681

This solution can be applied across multiple groups for ease of maintenance and compliance requirements. Here's how to implement a solution using Pipeline Execution Policies:

  1. Create a Pipeline Execution Policy. Pipeline Execution Policies are perfect for enforcing pipeline freshness across all groups:

  2. Navigate to the top-level group's Settings > CI/CD > Pipeline execution policies

  3. Click Add policy

  4. Configure the policy:

    • Name: "Pipeline Freshness Policy"
    • Description: "Prevents merging with pipelines older than 7 days"
    • Status: Enabled
    • Mode: Either "Append" or "Replace" (depending on your existing setup)

  5. Define the Pipeline Age Check Job. Add this as part of your policy definition:

    stages:
  - validate
  - test
  - build
  - deploy

pipeline_freshness_check:
  stage: validate
  script:
    - |
      # Calculate pipeline age in days
      PIPELINE_AGE=$((($(date +%s) - $(date -d "$CI_PIPELINE_CREATED_AT" +%s)) / 86400))
      echo "Current pipeline age: $PIPELINE_AGE days"
   
      # Set your maximum allowed age
      MAX_AGE=${MAX_PIPELINE_AGE_DAYS:-7}
   
      if [ $PIPELINE_AGE -gt $MAX_AGE ]; then
        echo "ERROR: Pipeline is $PIPELINE_AGE days old, exceeding the $MAX_AGE-day limit."
        echo "Please run a new pipeline before merging."
        exit 1
      else
        echo "Pipeline age verification passed: $PIPELINE_AGE days old (limit: $MAX_AGE days)"
      fi
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  allow_failure: false

  6. Apply the Policy to Groups. In the policy configuration:

    1. Under Applies to, select "This group and all descendant groups"
    2. Alternatively, you can select specific groups if needed
    3. Save the policy

  7. Configure Group-Level Variables. To make the policy flexible:

    1. Go to the top-level group's Settings > CI/CD > Variables
    2. Add a variable MAX_PIPELINE_AGE_DAYS with a value of 7 (or your preferred duration)
    3. Make the variable overridable by sub-groups if you want to allow customization

  8. Set Up Required Merge Request Settings to ensure the pipeline check is enforced:

    1. At the group level, go to Settings > Merge requests
    2. Enable "Pipelines must succeed" under "Merge checks"
    3. Configure additional settings like "Remove all approvals when new commits are pushed"

  9. Monitor Compliance and Exemptions.

The Pipeline Execution Policy interface provides ways to:

  • Monitor which projects are using the policy
  • Handle exemptions for specific projects if needed
  • Track policy effectiveness

This approach using Pipeline Execution Policies is much cleaner than the compliance framework approach because:

  • It's specifically designed for CI/CD enforcement
  • It's easier to manage from a central location
  • It applies automatically to new projects in the groups
  • It has built-in monitoring and compliance reporting

The policy ensures that no merge request can be approved or merged if its pipeline is older than your defined threshold, effectively preventing the security scan issue your customer encountered.

Other links/references

A potential home for this information: https://docs.gitlab.com/ci/pipelines/merge_request_pipelines/

Edited by Amy Qualls