Skip to content

ci: Avoid blanket changes to avoid unexpected run

Lin Jen-Shin requested to merge ci-avoid-blanket-changes into master

What does this MR do and why?

Avoid blanket changes to avoid unexpected run

Documentation to this caveat: https://docs.gitlab.com/ee/ci/yaml/#ruleschanges

You should use rules: changes only with branch pipelines or merge request pipelines. You can use rules: changes with other pipeline types, but rules: changes always evaluates to true when there is no Git push event. Tag pipelines, scheduled pipelines, manual pipelines, and so on do not have a Git push event associated with them. A rules: changes job is always added to those pipelines if there is no if that limits the job to branch or merge request pipelines.

If we trigger a pipeline from another pipeline, regardless whatever the actual changes were, it'll always evaluate to true which can be unexpected.

If we also apply if-default-refs it would at least limit the scope to those default scenarios we care most about.

That being said, adding if-default-refs to those conditions will not stop the incident from happening, because we can see that if $FORCE_GITLAB_CI is being set, it's also considered if-default-refs, and the triggered pipeline did also contain $FORCE_GITLAB_CI as we can see from gitaly!4986 (merged)

Therefore, I don't expect this to change the actual behaviours, nor does it prevent from cache poisoning.

However I think it's likely still beneficial to have this:

  • More clear what to expect
  • If we tweak if-default-refs we can tweak the behaviour when needed

Background

See gitlab-org/quality/engineering-productivity/master-broken-incidents#45 (comment 1159064802)

  • An unmerged Gitaly merge request gitaly!4986 (merged) triggered a cross-project pipeline on GitLab toon-gitaly-version branch which also has an unmerged merge request: !102281 (merged)
  • !102281 (merged) showed a mixed of pipelines with its owned merge requests pipelines and "branch pipelines" triggered from Gitaly.
  • Merge request pipelines did not run update-gitaly-binaries-cache nor update-tests-metadata because relevant files did not change. However, the "branch pipelines" did run those because changes are always true to those pipelines, because those were not pushed but triggered. This was discovered from !102727 (comment 1158917472)

Merge request pipeline without update-gitaly-binaries-cache: https://gitlab.com/gitlab-org/gitlab/-/pipelines/678677901

Screen_Shot_2022-11-03_at_22.02.36

Branch pipeline having update-gitaly-binaries-cache: https://gitlab.com/gitlab-org/gitlab/-/pipelines/683127875

Screen_Shot_2022-11-03_at_22.02.54

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

See gitlab-org/quality/engineering-productivity/master-broken-incidents#45 (comment 1159064802)

Edited by Lin Jen-Shin

Merge request reports