Skip to content

Remove inaccessible artifacts from release evidence

Ahmed Hemdan requested to merge remove-inaccessible-artifacts-from-release-evidence into master

What does this MR do and why?

This merge request updates the creation of release evidence summary to ensure the URLs of job/build artifacts which does not have artifacts:paths specified are excluded from the evidence. With that fix in place, a release evidence's report_artifacts would not include the url of a non-existing artifact when the evidence is collected. This prevents users from getting 404 pages when trying to access those URLs.

As a follow up to this fix (tracked separately in #228648 (closed)) we also have to update CI templates to reflect the changes introduced here.

Resolves #225800 (closed).

How to set up and validate locally

To validate locally, please follow the steps below:

When artifacts:paths is specified

  1. Create a project or use an existing one.
  2. Ensure that you have gitlab-runner configured to use docker executor.
  3. Add a .gitlab-ci.yml file to the project with the following code:
include:
  - template: License-Scanning.gitlab-ci.yml

license_scanning:
  rules:
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\blicense_scanning\b/
  artifacts:
    paths:
      - gl-license-scanning-report.json

release_job:
  stage: deploy
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    - if: $CI_COMMIT_TAG
  script:
    - echo 'running release job'
  release:
    name: 'Release $CI_COMMIT_TAG'
    description: "new release!"
    tag_name: '$CI_COMMIT_TAG'

The above ensures we are running the release_job whenever a tag pipeline runs (i.e. a git tag is pushed), and uses the license_scanning template to demonstrate how inclusion of artifacts:paths is used to determine whether a release evidence would include report_artifacts.url or not.

  1. Create a new git tag, and push it to the repository.
  2. Check the releases page (found under Deployments > Releases), and look up the release just created using this tag.
  3. Download the release evidence and verify it includes report_artifacts.url.
  4. Test that the URL works fine in your browser (artifacts file will be downloaded).

When artifacts:paths is not specified

  1. Repeat the steps outlined above, but make sure to exclude the following from .gitlab-ci.yml code:
  artifacts:
    paths:
      - gl-license-scanning-report.json
  1. Push another git tag similar to how you did earlier.
  2. Verify that the release evidence created includes an empty report_artifacts array.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ahmed Hemdan

Merge request reports