Skip to content

Fix workflow:rules not accessing passed-upstream and trigger variables

Furkan Ayhan requested to merge 206929-fix-workflow-rules-to-access-variables into master

What does this MR do?

This is the second attempt to fix this problem.

Example CI config:

workflow:
  rules:
    - if: $SOME_VARIABLE

test:
  script: echo test

Normally, we should run this pipeline with passing SOME_VARIABLE in it. However, when running this pipeline with trigger keyword or trigger API, workflow::rules can not read the passed variable.

In Ci::CreatePipelineService, we run https://gitlab.com/gitlab-org/gitlab/-/blob/5aae54af261e21b5a17c04967d8d8f0d84730c60/lib/gitlab/ci/pipeline/chain/seed.rb#L25 in Gitlab::Ci::Pipeline::Chain::Seed section. seeds_block is passed through Ci::CreatePipelineService in the places where some attributes are passed to the to-be-created pipeline. For example; in Ci::PipelineTriggerService and Ci::CreateDownstreamPipelineService, we are using it to pass variables.

The problem is, Gitlab::Ci::Pipeline::Chain::EvaluateWorkflowRules is run before Gitlab::Ci::Pipeline::Chain::Seed, so the workflow:rules can't read the variables.

This MR fixes this.

This fix is behind a feature flag ci_seed_block_run_before_workflow_rules. #270439 (closed)

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #206929 (closed)

Edited by Kamil Trzciński

Merge request reports