Fail the pipeline when .pipeline-policy-pre stage fails

Martin Cavojrequested to merge
534302-failing-pipeline-policy-pre-stage-should-fail-the-pipeline-to-prevent-jobs-with-empty-needs into master

What does this MR do and why?

The change in this MR will ensure to skip DAG jobs when .pipeline-policy-pre stage (and as a result, the pipeline) fails.

All jobs have to wait for .pipeline-policy-pre stage to finish before they can start. If this stage fails, we shouldn't allow any jobs to start (DAG or when: always), otherwise we're allowing for bypass of the compliance checks done in .pipeline-policy-pre.

This MR:

  • Ensures that DAG jobs don't start when .pipeline-policy-pre fails
  • Jobs with when: always don't start while .pipeline-policy-pre is running or when it fails
  • Updates documentation to provide clearer expectations for .pipeline-policy-pre stage behavior

References

Screenshots or screen recordings

Scenario Before After
.pipeline-policy-pre failing CleanShot_2025-07-18_at_15.43.16_2x CleanShot_2025-07-18_at_15.41.44_2x
.pipeline-policy-pre failing with allow_failure: true (no change) CleanShot_2025-07-18_at_15.45.26_2x CleanShot_2025-07-18_at_15.53.58_2x
.pipeline-policy-pre skipped using when: on_failure CleanShot_2025-07-18_at_15.56.44_2x CleanShot_2025-07-18_at_15.55.04_2x
.pipeline-policy-pre canceled CleanShot_2025-07-18_at_15.59.22_2x CleanShot_2025-07-18_at_16.00.59_2x
.pipeline-policy-pre with when: manual CleanShot_2025-07-18_at_16.09.44_2x CleanShot_2025-07-18_at_16.09.21_2x
.pipeline-policy-pre failing and project jobs have when: on_failure CleanShot_2025-07-18_at_16.21.31_2x CleanShot_2025-07-18_at_16.19.31_2x

How to set up and validate locally

  1. Create a project
  2. Create a pipeline execution policy with the following CI config: 
    stages: [test, policy-test, deploy]

policy-pre:
  stage: .pipeline-policy-pre
  script:
    - sleep 10
    - exit 1

policy-test-empty-needs:
  stage: policy-test
  script: exit 0
  needs: []

policy-test-when-always:
  stage: policy-test
  script: exit 0
  when: always

In the policy.yml, enable the experiment (similar to https://docs.gitlab.com/user/application_security/policies/scheduled_pipeline_execution_policies/#enable-scheduled-pipeline-execution-policies). Ensure to update the file via MR to trigger the cache invalidation right away. The full policy.yml should look something like this:

---
experiments:
  ensure_pipeline_policy_pre_succeeds:
    enabled: true
pipeline_execution_policy:
- name: Inject
  description: ''
  enabled: true
  pipeline_config_strategy: inject_policy
  content:
    include:
    - project: <path-to-project-with-policy-ci-config>
      file: policy.yml
  skip_ci:
    allowed: false
  variables_override:
    allowed: false
    exceptions: []
  1. Run the pipeline
  2. Verify that policy-test-empty-needs and policy-test-when-always jobs don't run

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #534302 (closed)

Edited by Martin Cavoj

Merge request reports