Prevent jobs from being enqueued while waiting for deployment approval
What does this MR do and why?
When testing the new Deployment Approvals feature, we noticed that manual builds can bypass this since they go through the PlayBuildService, which does not check if a build is waiting for approvals. To prevent any bypasses of Deployment Approval business logic, we can add a rule to Ci::Build's state machine that prevents it from being enqueued if approvals are pending.
See !75710 (comment 756445822) for context.
Part of Deployment Approvals MVC: #343864 (closed)
How to set up and validate locally
Note: This MR requires the changes in !77892 (merged) in order for the Deployment Approval workflow to function correctly.
- Enable the
deployment_approvalsfeature flag.
Feature.enable(:deployment_approvals)- Set up a project to deploy to an environment. Example job from
.gitlab-ci.yml:
production:
stage: deploy
script:
- echo done
environment:
name: production
when: manual-
Protect the environment being deployed to. See https://docs.gitlab.com/ee/ci/environments/protected_environments.html#protecting-environments.
-
Add some required approvals to the protected environment that was just created:
ProtectedEnvironment.last.update(required_approval_count: 1)- Start a pipeline. The
productionjob should be in ablockedstate. Navigate to the pipeline page. Ensure that clicking the play button does not start the job.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.