Fix definition of security related jobs

The jobs added with https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1897 and https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/2347 are causing a duplicate pipeline started for each branch push. It also causes unwanted jobs to be started in context of the MR pipeline. This commit will disable unwanted jobs and will add missing rules definition to the fuzz testing one.

Fix definition of security related jobs
The jobs added with https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1897 and https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/2347 are causing a duplicate pipeline started for each branch push. It also causes unwanted jobs to be started in context of the MR pipeline. This commit will disable unwanted jobs and will add missing rules definition to the fuzz testing one.
5903de28 · Tomasz Maczukin · 84465002 · 5903de28 · 5903de28
Unverified Commit 5903de28 authored Oct 20, 2020 by Tomasz Maczukin
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 8 deletions

.gitlab/ci/_common.gitlab-ci.yml .gitlab/ci/_common.gitlab-ci.yml +4 -1

.gitlab/ci/test.gitlab-ci.yml .gitlab/ci/test.gitlab-ci.yml +10 -7

No files found.
--- a/.gitlab/ci/_common.gitlab-ci.yml
+++ b/.gitlab/ci/_common.gitlab-ci.yml
@@ -14,7 +14,10 @@ variables:
  GIT_LFS_VERSION: "2.11.0"
  LICENSE_MANAGEMENT_SETUP_CMD: echo "Skip setup. Dependency already vendored"
  DOCS_GITLAB_REPO_SUFFIX: "runner"
-  SAST_DEFAULT_ANALYZERS: "gosec,secrets"
+  # We're overriding rules for the jobs that we want to run.
+  # This will disable all other rules.
+  SAST_DISABLED: "true"
+  DEPENDENCY_SCANNING_DISABLED: "true"

 default:
  image: $CI_IMAGE

--- a/.gitlab/ci/test.gitlab-ci.yml
+++ b/.gitlab/ci/test.gitlab-ci.yml
@@ -4,12 +4,13 @@ include:
 - template: Security/SAST.gitlab-ci.yml
 - template: Security/License-Scanning.gitlab-ci.yml

-.merge_request_pipelines_rules: &merge_request_pipelines_rules
- if: $CI_MERGE_REQUEST_ID
- if: $CI_COMMIT_BRANCH == "master" && ($CI_PROJECT_PATH == "gitlab-org/gitlab-runner" || $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner")
- if: $CI_COMMIT_REF_NAME =~ /\A[0-9]+-[0-9]+-stable\z/ && ($CI_PROJECT_PATH == "gitlab-org/gitlab-runner" || $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner")
- if: $CI_COMMIT_REF_NAME =~ /\Av[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?\z/ && $CI_PROJECT_PATH == "gitlab-org/gitlab-runner"
- if: $CI_COMMIT_REF_NAME =~ /\Av[0-9]+\.[0-9]+\.[0-9]+?\z/ && $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner"
+.merge_request_pipelines_rules:
+  rules: &merge_request_pipelines_rules
+  - if: $CI_MERGE_REQUEST_ID
+  - if: $CI_COMMIT_BRANCH == "master" && ($CI_PROJECT_PATH == "gitlab-org/gitlab-runner" || $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner")
+  - if: $CI_COMMIT_REF_NAME =~ /\A[0-9]+-[0-9]+-stable\z/ && ($CI_PROJECT_PATH == "gitlab-org/gitlab-runner" || $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner")
+  - if: $CI_COMMIT_REF_NAME =~ /\Av[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?\z/ && $CI_PROJECT_PATH == "gitlab-org/gitlab-runner"
+  - if: $CI_COMMIT_REF_NAME =~ /\Av[0-9]+\.[0-9]+\.[0-9]+?\z/ && $CI_PROJECT_PATH == "gitlab-org/security/gitlab-runner"

 # Overriding 'Dependency-Scanning.gitlab-ci.yml' template, because
 # we need to replace the rules with our own, the same
@@ -149,7 +150,9 @@ unit test with race:
    TESTFLAGS: "-cover -race"

 fuzz variable mask:
-  extends: .fuzz_base
+  extends:
+  - .fuzz_base
+  - .merge_request_pipelines_rules
  image: golang:1.13
  stage: test
  script: