Skip to content

Ignore tag pipelines for MR approval policies

Sashi Kumar Kumaresan requested to merge sk/457613-ignore-tag-pipelines into master

What does this MR do and why?

This MR fixes a bug with MR approval policy where a tag pipeline is considered for comparison which could lead to inconsistent behaviour as tag pipeline may not contain security jobs.

Database

SELECT
    max(id) as id 
FROM
    "ci_pipelines" 
WHERE
    "ci_pipelines"."project_id" = 278964 
    AND (
        "ci_pipelines"."status" IN (
            'success','failed','canceled','skipped'
        )
    ) 
    AND "ci_pipelines"."tag" = false
    AND "ci_pipelines"."sha" = '6418b07f2e90539ce87dbe51b8624d2e486b6ee0' 
    AND (
        "ci_pipelines"."source" IN (
            1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 15
        ) 
        OR "ci_pipelines"."source" IS NULL
    ) 
GROUP BY
    "ci_pipelines"."source"

Query Plan 

 Aggregate  (cost=3.75..3.77 rows=1 width=8) (actual time=67.376..67.380 rows=2 loops=1)
   Group Key: ci_pipelines.source
   Buffers: shared hit=3 read=22
   I/O Timings: read=67.135 write=0.000
   ->  Sort  (cost=3.75..3.76 rows=1 width=8) (actual time=67.368..67.369 rows=5 loops=1)
         Sort Key: ci_pipelines.source
         Sort Method: quicksort  Memory: 25kB
         Buffers: shared hit=3 read=22
         I/O Timings: read=67.135 write=0.000
         ->  Index Scan using index_ci_pipelines_on_project_id_and_sha on public.ci_pipelines  (cost=0.70..3.74 rows=1 width=8) (actual time=16.219..67.335 rows=5 loops=1)
               Index Cond: ((ci_pipelines.project_id = 278964) AND ((ci_pipelines.sha)::text = '6418b07f2e90539ce87dbe51b8624d2e486b6ee0'::text))
               Filter: ((NOT ci_pipelines.tag) AND ((ci_pipelines.status)::text = ANY ('{success,failed,canceled,skipped}'::text[])) AND ((ci_pipelines.source = ANY ('{1,2,3,4,5,6,7,8,10,11,15}'::integer[])) OR (ci_pipelines.source IS NULL)))
               Rows Removed by Filter: 12
               Buffers: shared read=22
               I/O Timings: read=67.135 write=0.000

Time: 76.437 ms
  - planning: 8.999 ms
  - execution: 67.438 ms
    - I/O read: 67.135 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 3 (~24.00 KiB) from the buffer pool
  - reads: 22 (~176.00 KiB) from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • Create a project with security scan jobs and make it available except for tags type by adding:
  except:
    - tags
  • Create MR approval policy to enforce approval on newly detected vulnerabilities
  • Create an MR by updating README and verify that the approval is not required
  • Create a tag from the MR's source branch and make sure that the security scan does not run for the tag pipeline.
  • After the tag pipeline is complete, observe that the MR does not require approval

Example Project: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-419789

Addresses #457613 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports