Fix: Moving Project with compliance framework

Andrew Jungrequested to merge
521987/fix-group-subgroup-transfer into master

What does this MR do and why?

Fix: Moving Project with compliance framework

  • Remove the compliance framework from the project
  • When the feature is licensed only
  • Pipelines / framework should not be part of project anymore

Changelog: fixed EE: true

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Use GitLab EE/Ultimate version to test
  2. On master / feature branch test these scenarios
  3. Create test structure objects:
  • Create Group A (top-level)
  • Create Group B (top-level)
  • Create Subgroup A1 under Group A
  • Create Project A3 in Subgroup A1
  1. Create a new compliance framework for Group A using a compliance pipeline: example file below
  2. Ensure Project A3 is assigned the framework
  3. Transfer the Subgroup A1 to Group B
  4. On main branch: the framework is still attached to the Project / feature branch it is not.

Pipeline example file:

include:  # Execute individual project's configuration (if project contains .gitlab-ci.yml)
  - project: '$CI_PROJECT_PATH'
    file: '$CI_CONFIG_PATH'
    ref: '$CI_COMMIT_SHA' # Must be defined or MR pipelines always use the use default branch
    rules:
      - if: $CI_PROJECT_PATH != "compliance-group-testing-and-demos/compliance-pipeline" # Must run on projects other than the one hosting this configuration.

# Allows compliance team to control the ordering and interweaving of stages/jobs.
# Stages without jobs defined will remain hidden.
stages:
  - pre-compliance
  - build
  - test
  - deploy
  - post-compliance

variables:  # Can be overridden by setting a job-specific variable in project's local .gitlab-ci.yml
  FOO: sast

sast:  # None of these attributes can be overridden by a project's local .gitlab-ci.yml
  variables:
    FOO: sast
  image: ruby:2.6
  stage: pre-compliance
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - when: always  # or when: on_success
  allow_failure: false
  before_script:
    - "# No before scripts."
  script:
    - echo "running $FOO"
  after_script:
    - "# No after scripts."

audit trail:
  image: ruby:2.7
  stage: post-compliance
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - when: always  # or when: on_success
  allow_failure: false
  before_script:
    - "# No before scripts."
  script:
    - echo "running $FOO"
  after_script:
    - "# No after scripts."

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports