## Summary This issue is to track the rollout of the `ensure_pipeline_policy_pre_succeeds` feature flag, introduced in [!225559](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/225559) as part of [#558233](https://gitlab.com/gitlab-org/gitlab/-/issues/558233). When this feature flag is enabled (default), a failed `.pipeline-policy-pre` stage skips all later jobs unconditionally, including jobs with `needs: []` and `when: always`. When disabled, only DAG jobs are blocked by a failed `.pipeline-policy-pre` stage (previous behavior). ## Owners - Most appropriate Slack channel to reach out to: `#g_security-policies` - Best individual to reach out to: @mcavoj ## Expectations ### What are we expecting to happen? Pipelines with pipeline execution policies that have a `.pipeline-policy-pre` stage will enforce that all later jobs are skipped when the pre-stage fails. This prevents jobs from circumventing enforced security checks via `needs: []` or `when: always`. ### What can go wrong and how would we detect it? - Pipelines could take longer because later-stage jobs wait for `.pipeline-policy-pre` to complete (previously, `needs: []` jobs would start immediately). - Users who relied on the previous behavior (jobs bypassing a failed pre-stage) may see unexpected job skipping. ## Rollout Steps ### Rollout on non-production environments - [ ] Enable the feature flag on staging: `/chatops run feature set ensure_pipeline_policy_pre_succeeds true --dev --pre --staging --staging-ref` - [ ] Verify that the feature works as expected. ### Global rollout on production - [ ] Enable the feature flag on production: `/chatops run feature set ensure_pipeline_policy_pre_succeeds true` - [ ] Monitor for unexpected pipeline failures. ### Release the feature - [ ] Create a merge request to remove the `ensure_pipeline_policy_pre_succeeds` feature flag. - [ ] Close [the feature issue](https://gitlab.com/gitlab-org/gitlab/-/issues/558233). - [ ] Clean up the feature flag: `/chatops run feature delete ensure_pipeline_policy_pre_succeeds --dev --pre --staging --staging-ref --production` - [ ] Close this rollout issue. ## Rollback Steps - [ ] This feature can be disabled by running: `/chatops run feature set ensure_pipeline_policy_pre_succeeds false`