Only run CS when an image is created
What does this MR do and why?
Container Scanning jobs are running on the main branch for commit pipelines. E.g.: https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/pipelines/1500916468
This fails because the project only builds images in two situations:
- In an MR
- When there's a release
To solve this, we need to limit the CS job to only run when an image is actually created.
This MR does this by applying the rules from release image and release temp image to the container_scanning job.
Commit-triggered pipeline on a forked project showing that the CS job isn't created: https://gitlab.com/group-thiagocsf/dependency-scanning/-/pipelines/1501334043
Other alternatives were considered:
- Use a dynamic pipeline
- It seems messier as we'll need a script that creates the yml with the job definition, and it also runs CS in a child pipeline.
- Look for the presence of
CS_IMAGE- Doesn't work because
existsdoesn't look for artifacts (Backend: Using rules:exists on artifacts (gitlab-org/gitlab#215100)).
- Doesn't work because
- Use one CS job for each
releasejob with aneedsassociation- This doesn't work because with
optional: falsethe pipeline fails since the dependent job doesn't exist. Withoptional: true, all CS jobs run, even when the dependent job doesn't exist.
- This doesn't work because with
Related issues
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.