Docs: MR widget and child pipelines

Problem to solve

Determine if this workaround is in our docs. If not, publish it:

Original question in #sme-ci: Does anyone know by chance if we are able to output the Terraform/Opentofu report artifact to an MR, if it’s coming from a downstream or child pipeline? Or if there’s any special considerations or configurations that would be needed in order to get that MR widget work with downstream pipelines?

Answer

Current Limitation: Unfortunately, there is a known limitation with GitLab MR widgets when using downstream (child) pipelines. When a pipeline triggers downstream pipelines, the security MR Widget does not show if the security scanners do not run in the main pipeline but only in the child pipelines. This same limitation applies to all types of MR widgets, including Terraform/OpenTofu report artifacts.

The Issue: The MR widgets do not show when reports (including Terraform/OpenTofu plan reports) are generated exclusively in downstream or child pipelines. GitLab currently only displays MR widgets for artifacts and reports generated in the main/parent pipeline.

Current Status: This is tracked as a known issue in GitLab's issue tracker (MR widgets do not show when reports are generat... (#439700 - closed)), where The MR widgets should show no matter where the security (or performance, or quality) reports are produced. The expectation is that widgets should appear regardless of whether reports come from parent or child pipelines.

Workarounds: Until this limitation is resolved, here are potential approaches:

  • Run Terraform/OpenTofu planning in the parent pipeline instead of downstream pipelines
  • Use job dependencies to bring artifacts back to the parent pipeline and generate the report there
  • Configure a job in the parent pipeline that downloads artifacts from the downstream pipeline and re-exposes them as MR artifacts

Configuration Requirements: When the limitation is resolved or if you use workarounds, the standard configuration from the GitLab documentation applies:

Using the GitLab Terraform/OpenTofu Report artifact, you can expose details from tofu plan runs directly into a merge request widget, enabling you to see statistics about the resources that OpenTofu creates, modifies, or destroys. The basic configuration requires:

  • Generating a Terraform/OpenTofu plan JSON report
  • Configuring it as a terraform report artifact in your .gitlab-ci.yml
  • Having the proper permissions (at least Guest role to view)

Unfortunately, this specific limitation with downstream pipelines means you'll need to adjust your pipeline architecture if you want the MR widget functionality to work properly.

Other links/references

Related to MR widgets do not show when reports are generat... (#439700 - closed)