Add CI/CD setting for Allow Fork Pipelines to Run in Parent Project
NOTE: This MR is a high priority item for unblocking customer (Internal Only)
What does this MR do and why?
This MR address the issue Allow ability to disable pipelines for merge requests from running in target projects via project settings. It adds the following changes:
- Add
allow_fork_pipelines_to_run_in_parent_project
column to theproject_ci_cd_settings
table (Boolean type, enabled by default). - Users can update this flag via Edit project API.
- Documentation
A few notes:
- See this Slack discussion about the background context of this change (Internal Only).
- UI support is out of scope.
How to set up and validate locally
Step 1: Make sure that a external contributor can't run a pipeline in the parent project.
- Sign-in as User A. Create a project with
.gitlab-ci.yml
that uses merge request pipelines. - Sign-in as User B. Fork the project and Create an MR that targets the parent project.
- Make sure that a pipeline runs in the fork project, because User B doesn't have permission to run a pipeline in the parent project.
Step 2: Make sure that a parent project member who deliberately works in a fork project can run a pipeline in the parent project.
- Sign-in as User A. Add User B to the parent project as Developer role. This effectively promotes the User B to project member from external contributor.
- Sign-in as User B. Run a pipeline in the fork merge request.
- Make sure that a pipeline runs in the parent project, because User B has permission to run a pipeline in the parent project. i.e. Run pipelines in the parent project.
Step 3: Make sure that the parent project member who deliberately works in a fork project can't run a pipeline in the parent project if the setting is disabled.
- Sign-in as User A. Create a personal token and update the CI/CD setting
ci_allow_fork_pipelines_to_run_in_parent_project
via Edit project API. - Sign-in as User B. Run a pipeline in the fork merge request.
- Make sure that a pipeline runs in the fork project, because the parent project disables the feature.
Screenshots or screen recordings
Step 1: Make sure that a external contributor can't run a pipeline in the parent project.
Step 2: Make sure that a parent project member who deliberately works in a fork project can run a pipeline in the parent project.
Step 3: Make sure that the parent project member who deliberately works in a fork project can't run a pipeline in the parent project if the setting is disabled.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.