Introduce a new configuration key for artifacts to validate the security report schemas
Why are we doing this work
As we will start validating the security report artifacts, we want to implement a way to transition towards that goal without breaking the existing security jobs. Therefore, we've decided to introduce a new configuration key for the job artifacts which will be false by default in the beginning but true by default later at some point. We will check if the artifact has this boolean flag set or not and based on its value, we will run the schema validation logic.
Relevant links
- This idea is extracted from a discussion here: #284062 (comment 538893235)
Implementation plan
-
backend Introduce a new configuration attribute called validate_schemafor job artifacts
diff --git a/lib/gitlab/ci/config/entry/artifacts.rb b/lib/gitlab/ci/config/entry/artifacts.rb
index 6118ff49928..233b8e90936 100644
--- a/lib/gitlab/ci/config/entry/artifacts.rb
+++ b/lib/gitlab/ci/config/entry/artifacts.rb
@@ -12,7 +12,7 @@ class Artifacts < ::Gitlab::Config::Entry::Node
include ::Gitlab::Config::Entry::Validatable
include ::Gitlab::Config::Entry::Attributable
- ALLOWED_KEYS = %i[name untracked paths reports when expire_in expose_as exclude public].freeze
+ ALLOWED_KEYS = %i[name untracked paths reports when expire_in expose_as exclude public validate_schema].freeze
EXPOSE_AS_REGEX = /\A\w[-\w ]*\z/.freeze
EXPOSE_AS_ERROR_MESSAGE = "can contain only letters, digits, '-', '_' and spaces"
@@ -34,6 +34,7 @@ class Artifacts < ::Gitlab::Config::Entry::Node
with: /\A[^*]*\z/,
message: "can't contain '*' when used with 'expose_as'"
}, if: :expose_as_present?
+ validates :validate_schema, boolean: true
validates :expose_as, type: String, length: { maximum: 100 }, if: :expose_as_present?
validates :expose_as, format: { with: EXPOSE_AS_REGEX, message: EXPOSE_AS_ERROR_MESSAGE }, if: :expose_as_present?
validates :exclude, array_of_strings: true, if: :exclude_enabled?