Change security pipeline execution policy stages strategy
What does this MR do and why?
This changes the strategy for handling stages in pipeline execution policies. It is no longer possible to define custom stages. Instead default stages will be injected. This is to make the feature more stable and avoid confusion when merging stages definitions.
As a next step, we want to:
- Assign jobs to the
.pipeline-policy-test
stage by default - Disallow jobs coming from the project CI configuration to be assigned to one of the
.pipeline-policy-*
stages.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a group.
- Go to Settings -> General.
- Toggle the Permissions and group features section.
- Enable Security policy pipeline execution action.
- Create a project in the group with the following
.gitlab-ci.yml
file:
pre job:
stage: .pre
script:
- echo "Hello World"
build job:
stage: build
script:
- echo "Hello World"
test job:
stage: test
script:
- echo "Hello World"
deploy job:
stage: deploy
script:
- echo "Hello World"
post job:
stage: .post
script:
- echo "Hello World"
- On the left sidebar, select Security & Compliance and Policies.
- Select New Policy.
- Select Scan execution policy.
- Switch to .yaml mode and enter the following policy:
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
- type: pipeline
branch_type: all
actions:
- scan: custom
ci_configuration: |-
pre policy:
stage: .pipeline-policy-pre
script:
- echo 'Hello World'
test policy:
stage: .pipeline-policy-post
script:
- echo 'Hello World'
post policy:
stage: .pipeline-policy-test
script:
- echo 'Hello World'
- Select Configure with a merge request.
- Merge the MR.
- Go back to the project and start a new pipeline.
- The pipeline should have the following stages in the right order
.pipeline-policy-pre
.pre
build
test
.pipeline-policy-test
deploy
.post
.pipeline-policy-post
Related to #440141 (closed)
Edited by Andy Schoenen