Make pipeline execution policy variables take precedence

Andy Schoenenrequested to merge
424488-pipeline-execution-variable-precedence into master

What does this MR do and why?

Variables defined in a pipeline execution policy will take the highest precedence. This MR makes it work for variables that are defined as part of a custom scan action

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a group
  2. Go to Settings -> General
  3. Toggle the Permissions and group features section
  4. Enable Run customized CI YAML file as security policy actions
  5. Create a project
  6. Add a .gitlab-ci.yml file containing a variable: 
    variables:
    GLOBAL_VAR: "project setting"
  7. Go to Secure -> Policies
  8. Select New policy
  9. Select Scan execution policy
  10. Switch to .yaml mode and paste the following policy: 
    type: scan_execution_policy
name: Compliance
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: custom
    ci_configuration: |-
      variables:
        GLOBAL_VAR: "policy"
      test policy job:
        stage: test
        script:
          - echo "'$GLOBAL_VAR'"
  11. Select Configure with a merge request and merge the MR
  12. On the project page, Select Build -> Pipelines
  13. Select Run pipeline
  14. Add a variable with key: GLOBAL_VAR and value: web trigger
  15. Inspect the test policy job logs. The printed variable should say "policy" and not "web trigger".

Related to #439237 (closed)

Edited by Andy Schoenen

Merge request reports