Fix bug in Ci::Pipeline#protected_ref? method (!184658) · Merge requests · GitLab.org / GitLab

Why this MR ?

We have two related open issues caused by the same root cause that needs to be fixed. The values for CI_COMMIT_REF_PROTECTED predefined CI variable and value for ref_protected claim in CI JWT ID Token are wrongly set as false in one scenario when it is supposed to be true - i.e. in the scenario where a pipeline is run for an MR whose source branch is protected

What does this MR do ?

This MR fixes the bug by implementing this proposal to Ci::Pipeline#protected_ref? method

Check if the source_ref_path of the pipeline is protected instead of the git_ref path of the pipeline
Note that the values of source_ref_path and git_ref is the same EXCEPT for the case of Merge Requests. In the case of Merge Requests, it returns the ref of the source branch of the Merge Request - Refer here
For easy review, I have written down the easily comparable simplified final logic versions of the methods - git_ref method that we are replacing and source_ref_path method which we are using instead below and we can see that the change is only for merge requests where we use source_branch instead of ref

def git_ref
  if merge_request?
    Gitlab::Git::BRANCH_REF_PREFIX + ref.to_s
  elsif branch?
    Gitlab::Git::BRANCH_REF_PREFIX + ref.to_s
  elsif tag?
    Gitlab::Git::TAG_REF_PREFIX + ref.to_s
  end
end

def source_ref_path
  if merge_request?
    Gitlab::Git::BRANCH_REF_PREFIX + merge_request.source_branch
  elsif branch?
    Gitlab::Git::BRANCH_REF_PREFIX + ref.to_s
  elsif tag?
    Gitlab::Git::TAG_REF_PREFIX + ref.to_s
  end
end

For a pipeline that is run for a Merge Request, The ref follows a special format: refs/merge-requests/X/head, where X is the merge request ID whereas merge_request.source_branch is the name of the source_branch of the merge request which is marked as protected