[go: up one dir, main page]
Skip to content

Auto disable "Pipeline Must Succeed" Setting for Security Policy Projects

Proposal

Currently, the "Pipeline must succeed" setting are enabled in security policy projects. However, security policy projects cannot run pipelines, resulting in the inability to approve merge requests (MRs) unless this setting is manually unchecked. This issue leads to unnecessary manual intervention and clunky workflow of manually disabling the setting from time to time.

The proposal here is introducing an except or automatic disable for security policy projects from the "Pipeline must succeed" setting. This should allow MRs to be approved without requiring a successful pipeline, and reduce the manual disabling effort from users.

Ideally, the security policy project should automatically ignore the "Pipeline must succeed" setting since pipelines cannot run.

From: Scan Execution and Scan Result changes cannot b... (#432327 - closed):

Summary

Security Policy projects have CI/CD disabled by default. When the namespace-level feature "Pipelines must succeed" is enabled all MRs require a successful pipeline before a change can be merged. This will prevent merging changes to Security Policies as, by default, pipelines are not run on Security Policy Projects.

Steps to reproduce

  1. Create a group
  2. In Group Settings enable "Pipelines must succeed" under General → Merge Requests
  3. Create a new project and, from that project, a new Security Policy Project.
  4. Attempt to change the Security Policies.

Example Project

https://gitlab.com/duncan_harris_ultimate_group/image/for-a-policy-security-policy-project/-/merge_requests/1

What is the current bug behavior?

MRs for Policy changes are blocked unless the feature is disabled

What is the expected correct behavior?

I'm not sure if the correct behavior here is for Security Policy Projects to bypass the pipeline requirement or running a stub pipeline to satisfy the pipeline requirement.

Relevant logs and/or screenshots

image

Output of checks

This bug happens on GitLab.com

Workaround

In the Security Policy Project navigate to Settings → "Visibility, project features, permissions" and enable "CI/CD". Then add a basic .gitlab-ci.yml file to the default branch:

Requirement for Merge Request:
  image: alpine:latest
  script:
    - echo "This pipeline is a success."
Edited by Alan (Maciej) Paruszewski