Draft: feat: Support Merged Result Pipelines, Merge Request Pipelines, and allow commit_list to be provided directly to Secret-Detection.gitlab-ci.yml
What does this MR do and why?
Three changes to Category:Secret Detection template
- Supports Merged Results Pipelines which are extra funky since they don't rely on a true commit (see below)
- Specify commit range for Merge Request Pipelines which rely on
CI_MERGE_REQUEST_DIFF_BASE_SHA - Updates the Category:Secret Detection template to allow manually specifying
commit_list.txtfile. In certain cases it's too difficult to determine programmatically, so this allows individuals to provide one explicitly inbefore_scriptsor elsewhere.
Quoting from the docs regarding "Merged Result Pipelines":
GitLab creates an internal commit with the merged results, so the pipeline can run against it. This commit does not exist in either branch, but you can view it in the pipeline details.
So instead we just rely on the latest $CI_COMMIT_SHA in those cases too
See testing with gitlab-com/www-gitlab-com!100862 (closed)
I don't think these are all necessary in one go but touch on several different areas so using this MR as a playground
Note: these may not all seem necessary in one go but each is required for www-gitlab-com is a culmination of each of the previously unsupported cases.
How to set up and validate locally
include:
remote: https://gitlab.com/gitlab-org/gitlab/-/raw/theoretick-master-patch-92466/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
job:
before_script: echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txtMR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.