Skip to content

Add support for policy stages to be injected before .pre

Martin Čavojrequested to merge
526072-pipeline-execution-policy-custom-stages-inserted-after-project-stages-instead-of-after-pre into master

What does this MR do and why?

Depends on refactoring in !194147 (merged).

  • Allow .pre to be referenced by policy custom stages so that they can be injected at the beginning of the pipeline. Without referencing .pre, there's no other stable anchor that we can hook into to inject the stages at the beginning.
  • Currently, .pre stage is automatically moved to the beginning, making it impossible to inject custom policy stages at the beginning of the pipeline.
  • We're documenting using .pre as a recommendation for injecting custom stages at the beginning.
  • We also discussed this approach in !181154 (comment 2392464836). When I tested it at the time, it worked, but only by coincidence because of other setup.
  • We implement this as experiment to unblock some customers asking for this behavior and get feedback and confidence for GA release. The customers need to opt-in via policy experiments configuration.

TODO

  • Update docs with .pipeline-policy-pre stage to mention that custom stages can be injected before .pre for non-blocking behavior:

    To run non-blocking jobs at the beginning of the pipeline, add a custom stage that runs before the .pre stage.

    For example: stages: [custom-non-blocking-stage, .pre].

References

Screenshots or screen recordings

Before After
CleanShot_2025-04-16_at_19.06.41_2x CleanShot_2025-04-16_at_19.03.29_2x

How to set up and validate locally

  1. Create a project
  2. Create a pipeline execution policy with the following CI config: 
    stages: [policy-stage, .pre]

policy-job:
  stage: policy-stage
  script: exit 0
  3. In the policy.yml, enable the experiment (similar to https://docs.gitlab.com/user/application_security/policies/scheduled_pipeline_execution_policies/#enable-scheduled-pipeline-execution-policies). Ensure to update the file via MR to trigger the cache invalidation right away. The full policy.yml should look something like this: 
    ---
experiments:
  pipeline_execution_policy_stages_before_pre:
    enabled: true
pipeline_execution_policy:
- name: Inject
  description: ''
  enabled: true
  pipeline_config_strategy: inject_policy
  content:
    include:
    - project: gitlab-org/pep/inject-before-pre
      file: policy.yml
  skip_ci:
    allowed: false
  variables_override:
    allowed: false
    exceptions: []
  4. Create .gitlab-ci.yml: 
    project-pre-job:
  stage: .pre
  script: exit 0
  5. Run a pipeline and verify that policy-job runs before project-pre-job

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #526072 (closed)

Edited by Martin Čavoj

Merge request reports