Ensure .pipeline-policy-pre jobs finish before starting others (!165096) · Merge requests · GitLab.org / GitLab

Andy Schoenen requested to merge 469256-prevent-empty-needs-jobs-from-starting-before-pep-finishes into master Sep 04, 2024

What does this MR do and why?

Jobs with empty needs statements can start at any time even if other pipeline stages are not finished yet. For the .pipeline-policy-pre stage we want to make an exception to ensure security policy jobs can not be bypassed and have to finish before other stages.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Enable the feature flag: echo "Feature.enable(:ensure_pipeline_policy_pre_stage_complete)" | rails c

Create a project with a CI jobs using needs: []:

project job:
  stage: test
  needs: []
  script:
    - echo "Project CI script"

Create another file for the pipeline execution policy CI config:

# policy-ci.yml
pipeline execution policy job:
  stage: .pipeline-policy-pre
  script:
    - sleep 200
    - echo "Enforce your policy here"

On the left sidebar, select Security & Compliance and Policies.
Select New Policy
Select Pipeline execution policy
Choose a name for the policy
In the Actions section, choose Inject and select the project and policy-ci.yml file you created in step 3.
Select Update via Merge Request.
Merge the MR.
Start a pipeline on the project
The project job should stay in the created state until the pipeline execution policy job is done.

Related to #469256 (closed)

Edited Oct 28, 2024 by Andy Schoenen

Ensure .pipeline-policy-pre jobs finish before starting others

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports