Non-Deployment jobs (e.g. `action: prepare`, `action: verify`) turn into `manual` state when Deployment Approval is configured

Release notes

In GitLab version 18.0, we are changing the behavior of the action: prepare, action: verify, action: access jobs on protected environments. You can change to the new behavior earlier using the prevent_blocking_non_deployment_jobs feature flag.

Until now, due to a bogus implementation, these jobs were turned manual automatically when run against a protected environment. While the environments were protected, these jobs did not require the approvals of the protected environment, they only required manual interaction to run them.

By fixing the implementation, these jobs won't be turned manual automatically. In order to keep to current behaviour, you should configure the jobs as manual explicitly.

For future compatibility, note that we plan a few more breaking changes in this area at version 18.0 to differentiate the behavior of the various environment.action: prepare | verify | access values. You can learn more about these planned changes in the following issues:

• Environment.action: prepare should require the ... (#437132)
• Environment.action: access and prepare should r... (#437133 - closed)
• Environment.action: access and verify should no... (#437142 - closed)

Problem

Non-Deployment jobs (e.g. action: prepare, action: verify and action: access) turn into manual state when Deployment Approval is configured. If the pipeline job won't deployment, it shouldn't be affected.

Please see this typebug report #300784 (comment 1249224486). This was able to be reproduced in https://gitlab.com/dosuken-org/developer-group/approval-demo/-/pipelines/763670118.

Proposal

This should resolve the bug

diff --git a/ee/app/services/ee/ci/process_build_service.rb b/ee/app/services/ee/ci/process_build_service.rb
index d73c2579706c..7b12afb2901c 100644
--- a/ee/app/services/ee/ci/process_build_service.rb
+++ b/ee/app/services/ee/ci/process_build_service.rb
@@ -6,7 +6,7 @@ module ProcessBuildService
 
       override :process
       def process(build)
-        if build.persisted_environment.try(:needs_approval?)
+        if build.persisted_environment.try(:needs_approval?) && build.deployment.present?
           build.run_after_commit { |build| build.deployment&.block! }
           # To populate the deployment job as manually executable (i.e. `Ci::Build#playable?`),
           # we have to set `manual` to `ci_builds.when` as well as `ci_builds.status`.

As fixing this bug is a breaking change, we want to put the fix behind the feature flag (disabled by default) together with the related issue Environment.action: prepare should require the ... (#437132). Then, in %18.0 we can turn it on by default and remove the feature flag.