Prevent compliance pipelines from overwriting child pipelines
What does this MR do and why?
As raised in the parent bug running a pipeline on a project that uses a child pipeline but is also subject to a compliance pipeline causes the child pipeline to contain only the parent pipeline again.
This continues until the maximum limit of recursion is hit (3) and then the pipeline fails.
This change checks if the pipeline is downstream of a bridge and if so, doesn't inject the compliance configuration.
Screenshots or screen recordings
Before |
After |
---|---|
How to set up and validate locally
- Do this on
master
first to understand the failure. - Create a new group.
- Create a project in that group that contains the compliance configuration.
# compliance.yml
stages:
- build
- test
comply:
stage: test
script:
- "echo hello compliance"
include: # Execute individual project's configuration (if project contains .gitlab-ci.yml)
project: '$CI_PROJECT_PATH'
file: '$CI_CONFIG_PATH'
ref: '$CI_COMMIT_REF_NAME'
-
In that group, create a compliance framework with a pipeline configuration that points to the newly created compliance configuration.
-
In the same group, create a project that contains a basic ci coniguration that also includes the use of a child pipeline. (It can be super basic.)
-
In that new project, make sure in the project settings that the compliance framework has been selected.
-
Start a new pipeline on that project. It should run, create the child pipeline, and the child pipeline should be incorrect and look just like the parent pipeline. It will recur twice, and then the pipeline will fail.
-
Then, checkout this branch and run the pipeline again. The child pipeline should look correct.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #339463 (closed)