Skip to content

Validate dynamic pipeline dependencies

Fabio Pitino requested to merge validate-dynamic-pipeline-dependencies into master

What does this MR do?

Related to #209070 (closed)

When using dynamic child pipeline feature we have a trigger job that depends explicitly on a job generating the CI config artifact.

For example:

generate-config:
  stage: build
  script: generate-ci-config > generated-config.yml
  artifacts:
    paths:
      - generated-config.yml

child-pipeline:
  stage: test
  trigger:
    include:
      - artifact: generated-config.yml
        job: generate-config

The child-pipeline trigger job depends on generate-config to produce an artifact.

We currently don't validate that the generate-config is part of the child-pipeline dependencies. Failing to define generate-config on a previous stage of child-pipeline would cause the parent pipeline to run but the child pipeline to fail when being created.

This validation was purposely left out in our first iteration of Dynamic child pipelines. In this MR we are explicitly validating that generate-config is present in previous stages of child-pipeline. If validation fails then the parent pipeline fails immediately with syntax error. This is the expected behavior, rather than waiting for the child pipeline to be created.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Fabio Pitino

Merge request reports