Add pipeline execution policy schedule run
What does this MR do and why?
This is a POC to makes it possible to run pipeline execution policies on a schedule. It is behind the scheduled_pipeline_execution_policies
feature flag.
I tried to re-use as much of the existing logic as possible. We already have scheduled scan execution policies, so I extended the Security::OrchestrationPolicyRuleSchedule
model to work for multiple policy types. Based on this we can store and process schedule rules for pipeline execution policies.
To configure the schedule, there's a new field triggers
in the pipeline execution schema. It contains a set of rules that define the cadence for the schedule and the branches it should be triggered on.
pipeline_config_strategy
is not relevant for the scheduled pipelines, as the scheduled pipelines should always only run the policy jobs and should never fallback to running project jobs, should the pipeline be filtered out by workflow rules. For this reason, we may eventually remove pipeline_config_strategy
as a top-level keyword and use triggers
also for the triggered pipelines (regular PEPs). See this comment for more information.
Before this feature can be release on production we have to:
- Move pipeline creation to a separate worker.
- Refine the schema.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable the feature flag
echo "Feature.enable(:scheduled_pipeline_execution_policies)" | rails c
- Create a group
- Create a project in the group
- Create a
policy-ci.yml
file with the following content:policy job: stage: build script: - echo "Do your policy script here"
- Create a
.gitlab/security-policies/policy.yml
file with the following content:--- pipeline_execution_policy: - name: pipeline execution description: '' enabled: true pipeline_config_strategy: override_project_ci triggers: - type: schedule cadence: '0 10 * * *' branches: - main content: include: - project: your-group/your-project file: policy-ci.yml
- Replace
your-group/your-project
with the path to your project. - On the groups left sidebar, select Security & Compliance and Policies.
- Select Edit policy project
- Select the project you created in step 3.
- Create another new project for the group.
- Trigger the scheduled run via rails console:
Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: 1.day.ago) Security::OrchestrationPolicyRuleScheduleWorker.new.perform
- On the left sidebar, select Build -> Pipelines.
- There should be a new pipeline triggered by the security policy bot containing the
policy job
. It may take a few minutes for the pipeline to appear.
Related to #472671