Trigger policy workers based on diff_head_pipeline
What does this MR do and why?
We need to check diff_head_pipeline instead of head_pipeline_id when we trigger policy sync worker so that the merge check is correctly updated.
If there's a second commit in the MR which doesn't trigger pipelines, head_pipeline points to the pipeline for the first commit and diff_head_pipeline is nil.
References
Screenshots or screen recordings
| Before | After |
|---|---|
|
|
How to set up and validate locally
-
Create a project with the following
.gitlab-ci.ymlworkflow: rules: - if: $GITLAB_USER_LOGIN == "<username_to_impersonate>" when: never - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS when: never variables: AST_ENABLE_MR_PIPELINES: "true" include: - template: Jobs/Secret-Detection.gitlab-ci.yml test: script: - echo "" -
Set up a merge request approval policy
approval_policy: - name: Test description: '' enabled: true actions: - type: require_approval approvals_required: 1 role_approvers: - maintainer - owner - type: send_bot_message enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected fallback_behavior: fail: closed -
Create a new branch and push a commit.
-
Open a merge request.
-
Impersonate the user for whom the pipelines are disabled
-
In the merge request, push another commit
-
Make sure that the policy merge check fails and doesn't get stuck
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #589614