Pipeline execution policy foundation

Martin Cavojrequested to merge
441252-pipeline-execution-poc-dry-run into master

What does this MR do and why?

This is a Pipeline execution policy PoC that uses dry run to evaluate policy pipelines and merge them into the project pipeline. Policy stages that are not defined in main pipeline will be ignored. In the follow-up, we will add reserved stages which will be injected and adding jobs to these stages will be guaranteed to work.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Policy jobs are merged to the project pipeline:

CleanShot_2024-04-19_at_17.40.43

Error handling - when there's an error in the PEP:

CleanShot_2024-04-25_at_11.59.21

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:pipeline_execution_policy_type)" | rails c
  2. Create two new projects. One for testing and one as the security policy project
  3. On the testing projects left sidebar, select Security & Compliance and Policies
  4. Select Edit policy project
  5. Select your security policy project and Save
  6. On you security policy project, create a new file .gitlab/security-policies/policy.yml with content: 
    ---
pipeline_execution_policy:
- name: test_pipeline_execution
  description: hey
  enabled: true
  content:
    policy test job:
      stage: test
      script:
      - echo "Hello World"
  7. Add a simple .gitlab-ci.yml to the project: 
    project job:
  stage: test
  script:
  - echo "Project job."
  8. Start a pipeline. It should contain the policy test job defined in the pipeline execution policy.

Related to #441252 (closed) and #455261 (closed).

Edited by Martin Cavoj

Merge request reports