Skip to content

Trigger pipelines from PEP schedules

Andy Schoenenrequested to merge
504091-add-ci-pipeline-source-and-trigger-scheduled-pipelines into master

What does this MR do and why?

Triggers CI pipelines for pipeline execution policy project schedules. It is based on !175246 (merged) which adds the Sidekiq worker RunScheduleWorker that we implement here.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag:
echo "Feature.enable(:scheduled_pipeline_execution_policies)" | rails c
  1. Create a group top-level and two contained projects:
    • top-level/spp
    • top-level/test
  2. Commit the following .gitlab/security-policies/policy.yml to top-level/spp :
scan_result_policy: []
approval_policy: []
ci_component_publishing_policy: []
vulnerability_management_policy: []
pipeline_execution_schedule_policy:
- name: "Scheduled PEP"
  description: "Schedule pipeline execution policy"
  enabled: true
  schedule:
    cadence: "0 0 * * *"
  content:
    include:
    - project: top-level/spp
      file: scheduled.yml
pipeline_execution_policy:
- name: "Scheduled PEP"
  description: "Pipeline execution policy"
  enabled: true
  pipeline_config_strategy: override_project_ci
  content:
    include:
    - project: top-level/spp
      file: regular.yml
scan_execution_policy:
- name: Secret detection
  enabled: true
  rules:
  - type: pipeline
    branch_type: all
  actions:
  - scan: secret_detection
  1. Commit the following scheduled.yml to top-level/spp:
scheduled_pep_job_pre:
  stage: .pipeline-policy-pre
  script: exit 0

scheduled_pep_job_post:
  stage: .pipeline-policy-post
  script: exit 0

scheduled_pep_job_test:
  stage: test
  script: exit 0
  1. Commit the following regular.yml to top-level/spp:
regular_pep_job_pre:
  stage: .pipeline-policy-pre
  script: exit 0

regular_pep_job_post:
  stage: .pipeline-policy-post
  script: exit 0

regular_pep_job_test:
  stage: test
  script: exit 0
  1. On the project level of top-level/test, navigate to Secure > Policies, click the Edit policy project button and assign top-level/spp
  2. On the project level of top/spp, navigate to Settings > General, expand Visibility, project features, permissions and enable Grant access to the CI/CD configurations
  3. Execute the resulting project schedule immediately:
Security::PipelineExecutionPolicies::RunScheduleWorker.perform_async(Security::PipelineExecutionProjectSchedule.last.id)
  1. Verify that the resulting pipeline for top-level/test has three stages, each with one job:
    • .pipeline-policy-pre: scheduled_pep_job_pre
    • test: scheduled_pep_job_test
    • .pipeline-policy-post: scheduled_pep_job_post

Related to #504091 (closed)

Edited by Dominic Bauer

Merge request reports