Enforce variables_override for scheduled PEP pipelines

Andy Schoenenrequested to merge
543105-enforce-variable-precedence-for-spep into master

What does this MR do and why?

Mirrors the scheduled SEP approach from !226155 (merged) for scheduled pipeline execution policies. It threads policy context into pipeline creation and applies variables_override metadata so scheduled PEP jobs are wired into the variables_override path while preserving current CI variable precedence behavior.

How to set up and validate locally

1) Enable the feature flag

Feature.enable(:scan_execution_policy_variables_override)

2) Prepare a security policy project

Create a project (for example security-policy-project) with:

  • policy-ci.yml
  • .gitlab/security-policies/policy.yml

policy-ci.yml example:

test_job:
  script:
    - echo "TEST_VAR is $TEST_VAR"
  variables:
    TEST_VAR: "policy_value"

.gitlab/security-policies/policy.yml example:

---
experiments:
  pipeline_execution_schedule_policy:
    enabled: true
pipeline_execution_schedule_policy:
  - name: Scheduled PEP Test
    description: 'Local validation policy'
    enabled: true
    content:
      include:
        - project: <full/path/to/security-policy-project>
          file: policy-ci.yml
    skip_ci:
      allowed: false
    schedules:
      - type: daily
        start_time: '00:00'
        time_window:
          value: 3600
          distribution: random

3) Link this project as the security policy project

Link it to your target project (or group), then sync policies.

4) Add a competing CI/CD variable

In target project/group/instance variables, add:

  • TEST_VAR=overridden_value

5) Trigger scheduled PEP pipeline from Rails console

project = Project.find(<target-project-id>)
schedule = Security::PipelineExecutionProjectSchedule.find_by!(project_id: project.id)
Security::PipelineExecutionPolicies::RunScheduleWorker.new.perform(schedule.id)

6) Validate expected behavior

Inspect the latest pipeline_execution_policy_schedule pipeline/job and confirm:

  • policy metadata includes variables_override: { allowed: true }
  • effective TEST_VAR resolves to overridden_value (project variable takes precedence for this MR behavior)

Related

Note on behavior change

This MR now sets scheduled PEP job metadata with variables_override: { allowed: true }.

This is intended to be a no-op for current scheduled PEP variable precedence behavior:

  • with allowed: true and no exceptions, variables are not filtered,
  • so project/group/instance CI/CD variables continue to take precedence as before.

In other words, this refactor wires scheduled PEP into the variables_override path without changing existing precedence behavior for current policies.

Edited by Andy Schoenen

Merge request reports