Pipeline Execution Policy Change - Showing multi-trigger pipelines from start to end when a pipeline trigger token is used

Proposal

During a policy rollout on a root group, we encountered an old issue in a new context. We have figured out a workaround, but this has now led to a FR. Here is the context:

Alex is a maintainer in best-practices

We rolled out our pipeline execution policies on best-practices, so best-practices/best-practices-security-policy-project was created with the appropriate policies

Alex has a workflow within best-practices that makes use of multiple triggers in a row, all of which were using $CI_JOB_TOKEN to trigger pipelines. However, after we rolled out the policies, Alex started getting this error on the various child pipelines:

Pipeline execution policy error: Project best-practices/best-practices-security-policy-project not found or access denied! Make sure any includes in the pipeline configuration are correctly defined.

I'm not sure why, since:

  1. Alex is a member of all of the required groups/projects and has the permissions to run the pipelines
  2. The required projects have their job token allowlist set to all groups and projects

Plus, the pipeline execution policy setting was enabled. Perhaps this is something that needs investigating? It is worth noting that when he then went and manually re-ran each of the child pipelines with this error individually, they worked. So I believe this issue could be with $CI_JOB_TOKEN not having the right permissions being passed along the "chain" of the pipeline.

However, from previous tickets I knew a workaround would be to change the $CI_JOB_TOKEN to an appropriate pipeline trigger token for each trigger. This fixed the problem and is an adequate fix.

The problem now though is that the UI no longer shows the full pipeline from start to end, where it did before the policies had been rolled out, when $CI_JOB_TOKEN was used.

Before:

image

After:

image

We would greatly appreciate the UI showing multi-trigger pipelines from start to end when a pipeline trigger token is used. This is of high importance to us because it is preventing us rolling the policies out to a significant number of our groups, and so I would like to make an FR for this to be added.

If any more context is needed I will be happy to provide it.

This is related to this issue

Edited by 🤖 GitLab Bot 🤖