Ignore tag pipelines for MR approval policies
What does this MR do and why?
This MR fixes a bug with MR approval policy where a tag pipeline is considered for comparison which could lead to inconsistent behaviour as tag pipeline may not contain security jobs.
Database
SELECT
max(id) as id
FROM
"ci_pipelines"
WHERE
"ci_pipelines"."project_id" = 278964
AND (
"ci_pipelines"."status" IN (
'success','failed','canceled','skipped'
)
)
AND "ci_pipelines"."tag" = false
AND "ci_pipelines"."sha" = '6418b07f2e90539ce87dbe51b8624d2e486b6ee0'
AND (
"ci_pipelines"."source" IN (
1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 15
)
OR "ci_pipelines"."source" IS NULL
)
GROUP BY
"ci_pipelines"."source"
Query Plan
Aggregate (cost=3.75..3.77 rows=1 width=8) (actual time=67.376..67.380 rows=2 loops=1)
Group Key: ci_pipelines.source
Buffers: shared hit=3 read=22
I/O Timings: read=67.135 write=0.000
-> Sort (cost=3.75..3.76 rows=1 width=8) (actual time=67.368..67.369 rows=5 loops=1)
Sort Key: ci_pipelines.source
Sort Method: quicksort Memory: 25kB
Buffers: shared hit=3 read=22
I/O Timings: read=67.135 write=0.000
-> Index Scan using index_ci_pipelines_on_project_id_and_sha on public.ci_pipelines (cost=0.70..3.74 rows=1 width=8) (actual time=16.219..67.335 rows=5 loops=1)
Index Cond: ((ci_pipelines.project_id = 278964) AND ((ci_pipelines.sha)::text = '6418b07f2e90539ce87dbe51b8624d2e486b6ee0'::text))
Filter: ((NOT ci_pipelines.tag) AND ((ci_pipelines.status)::text = ANY ('{success,failed,canceled,skipped}'::text[])) AND ((ci_pipelines.source = ANY ('{1,2,3,4,5,6,7,8,10,11,15}'::integer[])) OR (ci_pipelines.source IS NULL)))
Rows Removed by Filter: 12
Buffers: shared read=22
I/O Timings: read=67.135 write=0.000
Time: 76.437 ms
- planning: 8.999 ms
- execution: 67.438 ms
- I/O read: 67.135 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 3 (~24.00 KiB) from the buffer pool
- reads: 22 (~176.00 KiB) from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project with security scan jobs and make it available except for
tags
type by adding:
except:
- tags
- Create MR approval policy to enforce approval on newly detected vulnerabilities
- Create an MR by updating README and verify that the approval is not required
- Create a tag from the MR's source branch and make sure that the security scan does not run for the tag pipeline.
- After the tag pipeline is complete, observe that the MR does not require approval
Example Project: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-419789
Addresses #457613 (closed)
Edited by Sashi Kumar Kumaresan