Add ability to strictly enforce stage order when running jobs from Pipeline Execution Policies
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem Statement
Pipeline Execution Policies currently face challenges when enforcing stage order due to the needs keyword in GitLab CI configuration. The needs keyword allows jobs to run out of their defined stage order, which creates issues for security policies that need to ensure strict sequential execution.
This affects multiple use cases identified in our Pipeline Execution Policy Stage Control epic:
- Case 3: Failures in policy jobs outside .pipeline-policy-pre gate subsequent stages
- Case 4: Policy stages wait for previous stages/jobs to complete (to "scan" results)
- Case 6: Pipeline jobs respect and wait for policy jobs execution
Root Cause
All three cases share the same root cause: the needs keyword affects how jobs are executed, allowing jobs to bypass the natural stage order. While jobs without the needs keyword execute in parallel within their stage, stages themselves should run sequentially. However, when needs is used, this sequential stage execution can be bypassed.
Current Behavior vs Desired Behavior
Current Behavior:
- Jobs with
needskeyword can run out of stage order - Pipeline Execution Policies cannot guarantee sequential stage execution
- Security policies may be bypassed when developers use
needsin their CI configuration
Desired Behavior:
- Pipeline Execution Policies can enforce strict stage order regardless of
needsconfiguration - When enabled, stages run sequentially even if individual jobs have
needsdependencies - Existing Pipeline Execution Policy configurations continue to work as before
Proposed Solution
Add a new configuration option within Pipeline Execution Policies that allows strict enforcement of stage order. This option would:
-
Ignore
needskeyword for the purpose of stage ordering when enabled - Ensure sequential stage execution regardless of job-level dependencies
- Apply to all jobs when enabled (initially - can be extended for selective enforcement in the future)
- Maintain backward compatibility with existing Pipeline Execution Policy configurations
Implementation Approach
This requires collaboration between the Verify stage (GitLab CI functionality) and Security Risk Management (Pipeline Execution Policies) teams:
-
Verify team: Implement the core CI functionality to override
needsbehavior when requested - Security Risk Management team: Add the configuration option to Pipeline Execution Policies to leverage this functionality
- Cross-team coordination: Ensure the feature integrates seamlessly with existing policy enforcement mechanisms
Acceptance Criteria
-
Pipeline Execution Policies can be configured to enforce strict stage order -
When enabled, stages execute sequentially regardless of needskeyword usage -
Existing Pipeline Execution Policy configurations remain unaffected -
Feature works with all current policy enforcement mechanisms -
Documentation updated to explain the new configuration option
Related Issues
- Epic: Complete Pipeline Execution Policy Stage Control and Failure Handling
- Issue #479493: Failures in policy jobs outside .pipeline-policy-pre gate subsequent stages
- Issue #469256 (closed): Policy stages wait for previous stages/jobs to complete (to "scan" results)