Variables in Pipeline Execution Policy overridden by dotenv artifact
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Even though the overriding of variables in the Pipeline Execution Policy is forbidden, they can still be overridden by variables from dotenv artifacts.
Steps to reproduce
- create a pipeline execution policy which forbids overriding of variables
---
pipeline_execution_policy:
- name: Execute pipeline job with variables
description: Dummy pipeline job that defines and prints variables
enabled: true
pipeline_config_strategy: inject_policy
content:
include:
- project: <your-policy-project-here>
file: policy-pipeline.yml
skip_ci:
allowed: false
variables_override:
allowed: false
exceptions: []
policy_scope:
projects:
including:
- id: <your-software-project-id-here>stages:
- second
variables:
I_SHOULD_NOT_BE_OVERRIDEN1: "I have policy value and should not be overridden"
I_SHOULD_NOT_BE_OVERRIDEN2: "I have policy value and should not be overridden"
I_SHOULD_NOT_BE_OVERRIDEN3: "I have policy value and should not be overridden"
policy:print-vars:
stage: second
script:
- echo "hello from policy pipeline"
- echo $I_SHOULD_NOT_BE_OVERRIDEN1
- echo $I_SHOULD_NOT_BE_OVERRIDEN2
- echo $I_SHOULD_NOT_BE_OVERRIDEN3- create a project that is affected by the policy and add a pipeline
stages:
- first
- second
variables:
I_SHOULD_NOT_BE_OVERRIDEN1: "I am overridden in project on root level"
project-pipeline-job:
stage: first
script:
- echo "hello from project pipeline"
- echo "I_SHOULD_NOT_BE_OVERRIDEN2=I am overridden by dotenv artifact" >> build.env
artifacts:
reports:
dotenv: build.envI_SHOULD_NOT_BE_OVERRIDEN3 is overridden in Project CI/CD Settings. (But does not matter, as variables_override: allowed: false works here and the override does not work)
- run the pipeline and you will see
$ echo "hello from policy pipeline"
hello from policy pipeline
$ echo $I_SHOULD_NOT_BE_OVERRIDEN1
I have policy value and should not be overridden
$ echo $I_SHOULD_NOT_BE_OVERRIDEN2
I am overridden by dotend artifact
$ echo $I_SHOULD_NOT_BE_OVERRIDEN3
I have policy value and should not be overridden- Here
I_SHOULD_NOT_BE_OVERRIDEN2was overridden, even if it should not be allowed.
Example Project
Requires ultimate, therefore not possible in public projects.
What is the current bug behavior?
Variable is overridden.
What is the expected correct behavior?
Variable is not overridden.
It should be possible to override variables this way if override is allowed, as passing vars via dotenv is explicitly mentioned as a feature here
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.