Fix security policy source to not trigger pipelines for tags
What does this MR do and why?
In #403723 (closed), we updated the scan execution policies
to create pipelines even if Auto DevOps is disabled and no .gitlab-ci.yml
is present. These changes made invalid pipelines be triggered when a new tag is created under the following conditions:
-
scan_execution_policy
enabled - Auto DevOps disabled
- no
.gitlab-ci.yml
file
However the scan execution policy
is not applicable to tags.
This MR adds an additional check to not trigger a pipeline when a new tag is created.
Related to #439507 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a new project with a
README.md
file - Make sure the project does not have a
.gitlab-ci.yml
and the Auto DevOps is disabled - Update the readme file
- Create a new scan execution policy with the content
type: scan_execution_policy
name: se
description: ''
enabled: true
rules:
- type: pipeline
branch_type: all
actions:
- scan: secret_detection
- Go Code > Tags
- Add a new tag
- Verify that no pipeline will be created.
Edited by Marcos Rocha