"Pipelines must succeed" checkbox is ignored if CI is skipped
Summary
Customers want to use the "Pipelines must succeed" button to enforce a policy that a commit must pass its tests before it can be merged. But it's possible for developers to bypass the policy entirely using CI skipping.
Steps to reproduce
- Create a new project with a README and a simple
.gitlab-ci.yml
(see below) - Turn on "Pipelines must succeed"
- Protect the
master
branch and set "Allowed to Push" to "No One" formaster
- Create a branch and MR
- In your branch, edit
exit 0
to sayexit 1
(which is a failure) - Commit your change with "[skip ci]" as the commit message
- Push your change
- Navigate to the Merge Request. The merge button appears, and it's possible to merge - even though you just broke the build and insisted that Pipelines must succeed.
Here's a CI configuration that will work:
test:
script:
- exit 0
only: ['merge_requests']
Example Project
https://gitlab.com/fpotter/examples/skip-ci
Note While in the steps above I use the [skip ci]
commit message, I assume (have not tested) that the ci.skip
push option would similarly allow a developer to bypass the pipeline success requirement.
What is the current bug behavior?
The Merge button appears in the MR. It can be merged. Even though you set a policy that pipelines must succeed, and the build is completely broken.
What is the expected correct behavior?
A message that says something like:
The pipeline for this merge request was skipped. Please run a successful pipeline on this branch.
The format could be the same as is currently shown when the Pipeline is blocked or failed (see below).
Relevant logs and/or screenshots
The "Pipelines must succeed" button:
The "Merge" button that appears:
The "Blocked" message, which indicates a possible format for the "skipped" message:
The "Failed" message, also to indicate format:
Output of checks
This bug happens on GitLab.com.
Possible fixes
?
Customer impact
Major issue for at least one enterprise customer
/cc @jlenny @williamchia @dhavens @jmiklos