Make security policy stages order take precedence
What does this MR do and why?
Pipeline execution policies can force CI code to be run in applied projects. The CI will be merged with the project CI. It is also possible to define custom stages in the policy CI. One use case for this is that stages can be injected before or after certain project CI stages.
To make this work, the order of stages defined in the pipeline execution policy should take precedence over the order defined in the project CI.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a new Group.
- Navigate to Settings -> General.
- Expand the Permissions and group features section.
- Enable the "Run customized CI YAML file as security policy actions" experiment.
- Create a new project in the group.
- Add a
.gitlab-ci.yml
file with content:stages: - stage1 - stage2 - stage3 job1: stage: stage1 script: - echo "job 1" job2: stage: stage2 script: - echo "job 2" job3: stage: stage3 script: - echo "job 3"
- Select Secure -> Policies -> New policy .
- Select Scan execution policy.
- Switch to
.yaml mode
and past the following policy:type: scan_execution_policy name: test description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: custom ci_configuration: |- stages: - pre_stage1 - stage1 - stage2 - post_stage2 - stage3 pre stage 1 job: stage: pre_stage1 script: - echo "Pre stage 1" post stage 2 job: stage: post_stage2 script: - echo "Post stage 2"
- Select configure with a merge request and merge the MR.
- Start a new pipeline in the project.
- The stages should run in the same order defined in the policy yaml.
Related to #432042 (closed)