Skip to content

Inject reserved pipeline policy stages

Martin Čavoj requested to merge 452384-backend-handle-pipeline-execution-policy-reserved-stages into master

What does this MR do and why?

This MR adds support for reserved stages.

A policy can declare its jobs in the following stages:

  • .pipeline-policy-pre - runs before .pre
  • .pipeline-policy-post - runs after .post

These stages cannot be used by project CI configuration.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Stages cannot be used by project CI configuration:

CleanShot_2024-06-11_at_10.34.15_2x

Stages don't show up in the available stages list:

CleanShot_2024-06-11_at_10.35.18_2x

If used from a policy, they are injected into the pipeline:

CleanShot_2024-06-12_at_11.04.13_2x

CleanShot_2024-06-12_at_11.03.00_2x

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:pipeline_execution_policy_type)
  2. Create a group
    1. In the group, create a Compliance project
  4. In the Compliance project, create a file reserved-stages.yml: 
    build job:
  stage: .pipeline-policy-pre
  script:
    - sleep 3 && echo "Policy building..."
slow policy test job:
  stage: test
  script:
    - sleep 15 && echo "Slow test completed."
policy job after build:
  stage: .pipeline-policy-post
  needs:
    - "build job"
  script:
    - echo "Should start right after 'build job' finishes."
policy deploy job:
  stage: .pipeline-policy-post
  script:
    - echo "Deploying..."
  5. In the group, create a new project SPP project.
  6. In the project, create a file .gitlab/security-policies/policy.yml with the following content: 
    ---
pipeline_execution_policy:
  - name: Reserved stages policy
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: reserved-stages.yml
          ref: main
  7. Create another project in the group: Test
  8. In the project Test, go to Secure -> Policies, edit the policy project and select SPP project
  9. In the project Test, create .gitlab-ci.yml: 
    stages:
  - build
  - test
  - deploy

build job:
  stage: build
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."

project test job:
  stage: test
  script:
    - echo "Running unit tests... This will take about 60 seconds."
    - echo "Code coverage is 90%"

deploy job:
  stage: deploy
  environment: production
  script:
    - echo "Deploying application..."
    - echo "Application successfully deployed."
  10. Go to Pipelines and run pipeline
  11. Verify that stages with their jobs from the policy are injected into the pipeline in the expected order
  12. Try to edit the project's .gitlab-ci.yml and try to assign a job to one of the restricted stages. Verify that this is not possible.

Related to #452384 (closed)

Edited by Martin Čavoj

Merge request reports