Ci::Build#debug_mode? to return true when build_metadata record is missing

Leaminn Marequested to merge
debug-mode-true-when-build-metadata-missing into master

What does this MR do and why?

Context

We need to be able to gracefully handle missing build_metadata records should they arise. See https://gitlab.com/gitlab-org/gitlab/-/issues/546419#note_2554679675 for further details.

If a job does not have build_metadata, we should default debug_mode? to be true so that it enforces rule { debug_mode & ~project_update_build }.prevent :read_build_trace.

This MR

Updates Ci::Build.debug_mode? to return true if the build does not have a build_metadata record. It needs to exclude very old jobs that never had a metadata record to begin with, so we check degenerated?. This is discussed in !194954 (comment 2579029033).

Next iterations to the logic are planned in !194954 (comment 2574776849) (also see !194954 (comment 2580082189)).

References

Screenshots or screen recordings

  • Below shows a job with a debug trace after deleting its metadata record. In "Before", we see that sensitive data is viewable to a public user. In "After", we see an authorization restriction.
Before After
Screenshot_2025-06-18_at_3.59.10_PM Screenshot_2025-06-18_at_4.03.19_PM

How to set up and validate locally

Prerequisite: Ensure you have a GitLab Runner set up with your gdk.

  1. Create a new public project.

  2. Update .gitlab-ci.yml with the following content:

control-job:
  script: echo

job-with-debug-trace:
    variables:
        CI_DEBUG_TRACE: true
    script: echo

  1. Run the pipeline. After it succeeds, view the job details of job-with-debug-trace. Confirm you can see the debug trace details such as export FF_TEST_FEATURE=false....

  2. Open a new incognito browser window (to mimic a public user). View the job details of both control-job and job-with-debug-trace. You should see job logs similar to the following:

control-job job-with-debug-trace
Screenshot_2025-06-18_at_4.29.42_PM Screenshot_2025-06-18_at_4.30.22_PM
  1. Delete all the build_metadata records for the pipeline in the Rails console:
Ci::Pipeline.find(<YOUR_PIPELINE_ID>).all_processable_jobs.each { |job| job.metadata.delete }
  1. Refresh the job details view in the incognito window. Observe that now both jobs have authorization restrictions:
control-job job-with-debug-trace
Screenshot_2025-06-18_at_4.32.47_PM Screenshot_2025-06-18_at_4.32.56_PM

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549355

Edited by Leaminn Ma

Merge request reports