Skip to content

Draft: Handle pipeline execution policy job names

Martin Čavoj requested to merge 455314-backend-handle-pipeline-execution-policy-job-names into master

What does this MR do and why?

This change adds suffix for pipeline execution policy jobs to make them distinguishable for the users in the UI.

The suffix is based on the policy index, so all jobs belonging to the same policy will have the same suffix.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Jobs belonging to the same policy have the same suffix. If the job declares needs, the links between jobs are preserved.

CleanShot_2024-04-24_at_14.47.59

Pipeline execution with jobs that declare needs:

CleanShot_2024-04-24_at_14.50.33

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:pipeline_execution_policy_type)
  2. Create a group
  3. Inside the group, create a project SPP group
  4. In the project, create a file .gitlab/security-policies/policy.yml with the following content: 
    ---
pipeline_execution_policy:
  - name: Group policy
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      build job:
        stage: build
        script:
          - sleep 5 && echo "Group building..."
      group build job:
        needs:
          - "build job"
        script:
          - echo "Group policy job"
      group test job:
        script:
          - echo "Hello World from the group policy"
  5. Go back to the group and open Secure -> Policies. Click "Edit policy project" and select SPP group.
  6. In the group, create a new project SPP project.
  7. In the project, create a file .gitlab/security-policies/policy.yml with the following content: 
    ---
pipeline_execution_policy:
  - name: Project policy
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      build job:
        stage: build
        script:
          - sleep 3 && echo "Policy building..."
      slow project policy build job:
        stage: build
        script:
          - sleep 15 && echo "Slow build completed."
     policy test job with needs:
        stage: test
        needs:
          - "build job"
        script:
          - echo "Project policy job started after build job"
      policy test job:
        stage: test
        script:
          - echo "Policy testing..."
  8. Create another project in the group: Test
  9. In the project Test, go to Secure -> Policies, edit the policy project and select SPP project
  10. In the project Test, create .gitlab-ci.yml: 
    build job:
  stage: build
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."

project test job:
  stage: test
  script:
    - echo "Running unit tests... This will take about 60 seconds."
    - echo "Code coverage is 90%"

deploy job:
  stage: deploy
  environment: production
  script:
    - echo "Deploying application..."
    - echo "Application successfully deployed."
  11. Go to Pipelines and run pipeline
  12. Verify that jobs from both policies are injected into the pipeline
  13. Verify that jobs contain suffixes based on the policies they belong to
  14. Verify that job dependencies are preserved

Related to #455314 (closed)

Edited by Martin Čavoj

Merge request reports