Pipelines left running when permission to trigger downstream pipeline is insufficient
Bug report
Summary
Pipelines that trigger other pipelines that the user does not have permission to start are shown as running indefinitely instead of failing immediately when the bridge job fails to start the downstream pipeline.
There's a separate question of doing some kind of magic to make this work (#24585), but for now the pipeline should not be left in a weird state and should fail if we try to trigger a pipeline for which we do not have permissions.
Steps to reproduce
- A user has merge rights of
www-gitlab-com
, but not onteampage-map
- A successful merge on
www-gitlab-com
triggers a downstream build: https://gitlab.com/gitlab-com/www-gitlab-com/blob/e8a61ec6fc0cd6cd9917910126986c78a0f384c7/.gitlab-ci.yml#L397-407 - The build never triggers, because the users don't have the build right.
In this case the pipeline is left displayed as if it was running and waiting for something to happen.
Example Project
See above
What is the current bug behavior?
Pipeline looks like it is running indefinitely, but nothing is actually started
What is the expected correct behavior?
Bridge job fails when triggered pipeline fails to start
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Solution
- Permission error can be fixed by checking if the user has enough permissions during the pipeline to trigger downstream creation. If not, we should fail the trigger job immediately. This makes it so the error can be caught early enough.
- This will create an error state which describes the permission problem.
Permission error
The user that triggered this pipeline does not have permission to run pipelines in the downstream project.
-
Allow failure
governs the pipeline to fail completely or continue.
Documentation
- Get all current errors that can be reported to be documented at https://docs.gitlab.com/ee/ci/pipelines.html#seeing-the-failure-reason-for-jobs
Follow up
-
#37613 to fix any other unexpected errors from creating/continuing pipelines:
- Cannot catch all errors a pipeline might experience. For example, failures because of not enough pipeline minutes.
- If the pipeline fails to be created there currently is no mechanism to catch those errors.
- Set failure reason into the error state