Handle stages definitions in security policy custom yaml
We are introducing an experimental feature that allows to run custom CI configurations as part of a security policy. In the MVC version, the CI configuration get's merged with the project CI configuration.
It is possible to define custom stages in the custom YAML using the stages
keyword. This works as long as no stages
are defined a project .gitlab-ci.yml
file. In this case the project CI takes precedence and overrides all stages defined in security policies.
To avoid this, we can merge the two stages
definitions and make sure no stage defined in security policy can be removed.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Implementation plan
diff --git a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
index 633630eaab67..4e44c7f06cfc 100644
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -25,7 +25,16 @@ def perform
return @config if valid_security_orchestration_policy_configurations.blank?
return @config unless extend_configuration?
- merged_config = @config.deep_merge(merge_policies_with_stages(@config))
+ config_stages = @config[:stages].presence || DEFAULT_STAGES.clone
+
+ merged_policy_config = merge_policies_with_stages(@config)
+
+ policy_stages = merged_policy_config[:stages]
+
+ merged_stages = config_stages + policy_stages
+ merged_config = @config.deep_merge(merged_policy_config)
+
+ merged_config[:stages] = merged_stages
observe_processing_duration(Time.current - @start)