From 90e5bf1f539d15a9a5ecfe7c1a5f9fa4d1729925 Mon Sep 17 00:00:00 2001
From: Furkan Ayhan <furkanayhn@gmail.com>
Date: Tue, 22 Jul 2025 13:41:40 +0200
Subject: [PATCH 1/2] Refactor build permissions to be explicit instead of
 delegated

Previously, build permissions were implicitly calculated by delegating
to commit status permissions through CommitStatusPolicy. This approach
required recalculating commit status permissions every time build
permissions were checked, leading to performance overhead.

Changes made:

- Remove delegation logic from CommitStatusPolicy
- Add explicit build permission rules directly in
ProjectPolicy and BuildPolicy

Changelog: performance
---
 app/policies/ci/build_policy.rb      | 1 +
 app/policies/commit_status_policy.rb | 4 ----
 app/policies/project_policy.rb       | 8 ++++++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 128b8c626c12d3..e37ba724aaedbb 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -81,6 +81,7 @@ class BuildPolicy < CommitStatusPolicy
     # There is a "jailbreak" mode to exceptionally bypass the authorization,
     # however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
     rule { ~can?(:jailbreak) & (archived | (protected_ref & ~admin)) }.policy do
+      prevent :update_build
       prevent :update_commit_status
     end
 
diff --git a/app/policies/commit_status_policy.rb b/app/policies/commit_status_policy.rb
index eea2a24fb2d269..1bf8ea68da2c4d 100644
--- a/app/policies/commit_status_policy.rb
+++ b/app/policies/commit_status_policy.rb
@@ -2,8 +2,4 @@
 
 class CommitStatusPolicy < BasePolicy
   delegate { @subject.project }
-
-  %w[read create update admin].each do |action|
-    rule { ~can?(:"#{action}_commit_status") }.prevent :"#{action}_build"
-  end
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 09df2101dfc86b..9f5643d4a206f2 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -888,6 +888,11 @@ class ProjectPolicy < BasePolicy
     prevent :update_commit_status
     prevent :admin_commit_status
     prevent :destroy_commit_status
+
+    prevent :read_build
+    prevent :create_build
+    prevent :update_build
+    prevent :admin_build
   end
 
   rule { repository_disabled }.policy do
@@ -898,6 +903,7 @@ class ProjectPolicy < BasePolicy
     prevent :build_download_code
     prevent :fork_project
     prevent :read_commit_status
+    prevent :read_build
     prevent :read_pipeline
     prevent :read_pipeline_schedule
 
@@ -966,6 +972,7 @@ class ProjectPolicy < BasePolicy
 
   rule { public_or_internal & job_token_builds }.policy do
     enable :read_commit_status # this is additionally needed to download artifacts
+    enable :read_build
   end
 
   rule { public_or_internal & job_token_releases }.policy do
@@ -992,6 +999,7 @@ class ProjectPolicy < BasePolicy
     enable :read_environment
     enable :read_deployment
     enable :read_commit_status
+    enable :read_build
     enable :read_container_image
     enable :read_code
     enable :download_code
-- 
GitLab


From 9aaabd9dcd8691a6c68fa854df5920716f86e530 Mon Sep 17 00:00:00 2001
From: Furkan Ayhan <furkanayhn@gmail.com>
Date: Tue, 22 Jul 2025 13:58:49 +0200
Subject: [PATCH 2/2] Remove the redundant policy permission

---
 app/policies/ci/build_policy.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index e37ba724aaedbb..b0a23ff0f2eb0a 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -87,7 +87,6 @@ class BuildPolicy < CommitStatusPolicy
 
     rule { ~can?(:jailbreak) & (archived | protected_ref) }.policy do
       prevent :cancel_build
-      prevent :update_build
       prevent :erase_build
     end
 
-- 
GitLab