Skip to content

Add CI/CD setting for Allow Fork Pipelines to Run in Parent Project

NOTE: This MR is a high priority item for unblocking customer (Internal Only)

What does this MR do and why?

This MR address the issue Allow ability to disable pipelines for merge requests from running in target projects via project settings. It adds the following changes:

  • Add allow_fork_pipelines_to_run_in_parent_project column to the project_ci_cd_settings table (Boolean type, enabled by default).
  • Users can update this flag via Edit project API.
  • Documentation

A few notes:

  • See this Slack discussion about the background context of this change (Internal Only).
  • UI support is out of scope.

How to set up and validate locally

Step 1: Make sure that a external contributor can't run a pipeline in the parent project.

  1. Sign-in as User A. Create a project with .gitlab-ci.yml that uses merge request pipelines.
  2. Sign-in as User B. Fork the project and Create an MR that targets the parent project.
  3. Make sure that a pipeline runs in the fork project, because User B doesn't have permission to run a pipeline in the parent project.

Step 2: Make sure that a parent project member who deliberately works in a fork project can run a pipeline in the parent project.

  1. Sign-in as User A. Add User B to the parent project as Developer role. This effectively promotes the User B to project member from external contributor.
  2. Sign-in as User B. Run a pipeline in the fork merge request.
  3. Make sure that a pipeline runs in the parent project, because User B has permission to run a pipeline in the parent project. i.e. Run pipelines in the parent project.

Step 3: Make sure that the parent project member who deliberately works in a fork project can't run a pipeline in the parent project if the setting is disabled.

  1. Sign-in as User A. Create a personal token and update the CI/CD setting ci_allow_fork_pipelines_to_run_in_parent_project via Edit project API.
  2. Sign-in as User B. Run a pipeline in the fork merge request.
  3. Make sure that a pipeline runs in the fork project, because the parent project disables the feature.

Screenshots or screen recordings

Step 1: Make sure that a external contributor can't run a pipeline in the parent project.

Peek_2022-08-08_14-46

Step 2: Make sure that a parent project member who deliberately works in a fork project can run a pipeline in the parent project.

Peek_2022-08-08_14-48

Step 3: Make sure that the parent project member who deliberately works in a fork project can't run a pipeline in the parent project if the setting is disabled.

Peek_2022-08-08_14-52

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shinya Maeda

Merge request reports

Loading