Apply PEP policy job variables with highest precedence
What does this MR do and why?
This change marks the jobs coming from the Pipeline Execution Policies using build metadata and re-applies the yaml_variables
from these jobs
with the highest precedence.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable the feature flag
Feature.enable(:pipeline_execution_policy_type)
- Create a group
- In the group, create a
Compliance project
- In the
Compliance project
, create a filevariables.yml
:variables: OTHER_POLICY_VAR: 'should not leak into project pipeline' TEST_TOKEN: 'policy token' project_policy::policy test job: variables: POLICY_JOB_VAR: 'policy job variable' stage: test script: - echo "OTHER_POLICY_VAR = $OTHER_POLICY_VAR" - echo "TEST_TOKEN = $TEST_TOKEN" - echo "POLICY_JOB_VAR = $POLICY_JOB_VAR"
- In the group, create a project
Variables precedence
- In the project
Variables precedence
, create.gitlab-ci.yml
:variables: TEST_TOKEN: 'global token' CI_DEBUG_TRACE: "true" build: stage: build script: - echo "TEST_TOKEN = $TEST_TOKEN, OTHER_POLICY_VAR = $OTHER_POLICY_VAR" rspec: stage: test variables: TEST_TOKEN: "rspec token" script: - echo "Running RSpec..." - echo "TEST_TOKEN = $TEST_TOKEN, OTHER_POLICY_VAR = $OTHER_POLICY_VAR, POLICY_JOB_VAR = $POLICY_JOB_VAR"
- In the project, go to Secure -> Policies -> New policy -> Pipeline execution policy. Go to
.yaml mode
and use the following:type: pipeline_execution_policy name: PEP with variables description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: gitlab-org/pipeline-execution-policies/compliance-project file: variables.yml ref: main
- Configure with merge request and merge
- Go back to
Variables precedence
project, run a pipeline and observe the variables output. Verify that variables from the policy jobs are only applied in the policy jobs and that values defined in the project's CI YAML are overwritten. - Go to project's settings -> CI/CD and create new variables
TEST_TOKEN = overwritten from project settings
,POLICY_JOB_VAR = overwritten from project settings
- Run a new pipeline and verify that the value is only applied for non-policy jobs. Policy jobs should keep the previous value.
Related to #455312 (closed)
Edited by Martin Čavoj