Add ability to prevent the cancellation of secure jobs at the top level rather then project level.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Restrict roles that can cancel pipelines or jobs. Introduced in GitLab 16.7.

Either add to the functionality or create a separate option at the group or top level to restrict the cancellation of policy jobs.

Problem to solve

The customer would like to prevent the cancellation of security jobs at the top-group level.

Currently, Developers can cancel jobs in a pipeline by default. This includes security policy jobs even if skip is enabled.

You can restrict roles that can cancel pipelines in jobs. By editing the project settings in Settings > CI/CD > General Pipelines.

However, if you are Owner or maintainer level you can edit this setting.

The customer's concern is that it is very easy for someone to simply skip the scan jobs. They would like a way to enforce policies to run and be unskippable from the top-level group down. Instead of only being able to cancel this from the project level. Provide a way to “disallow canceling jobs defined in policy” from the top level group.

Steps to reproduce

1. Create a policy and set skip to false
2. Add a job to your gitlab-ci.yaml
3. Run the pipeline
4. Cancel secure jobs at will

You can set project level to be unable to skip jobs at the project level. But maintainers, and owners can update that setting at will via the project settings .

Here is my policy scan_execution_policy.yml

Example project here

Intended users

Any user who would like to restrict security policy jobs from being cancelled or this setting from being removed at the lower project level.

User experience goal

Prevent the cancellation of the security policies at the top-level group. Or not allow polices to be cancelled while not affecting other jobs' cancelability at the project level.

Proposal

Provide a toggle or function to manage this separately from cancelling by role at the project level. Instead, the cancellation of jobs should be a feature separate from policies at the top level for security.

Further details

Permissions and Security

Documentation

• Add documentation to the Cancel jobs section
• Add documentation to the polices section
• Add documentation to the roles and permissions section.

Availability & Testing

Should not require additional testing, as we have most of the groundwork already with the ability to cancel jobs. But will leave final say up to dev.

Available Tier

• Ultimate / Gold

Feature Usage Metrics

Security polices and frameworks top level down. It only makes sense to manage the cancellation of these jobs at the top level or group rather then project.

What does success look like, and how can we measure that?

What is the type of buyer?

Any user interested in expanded security. Banks, hospitals, and Security

Is this a cross-stage feature?

What is the competitive advantage or differentiation for this feature?

This was requested by a high-end user. Allows our Ultimate security offering more security/flexibility, setting us apart from the competition.

See the internal Salesforce link

Links / references