diff options
Diffstat (limited to 'doc/ci/jobs')
| -rw-r--r-- | doc/ci/jobs/ci_job_token.md | 3 | ||||
| -rw-r--r-- | doc/ci/jobs/index.md | 3 | ||||
| -rw-r--r-- | doc/ci/jobs/job_control.md | 36 |
3 files changed, 33 insertions, 9 deletions
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 1906d9cdb6c..a62f670cb12 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -23,7 +23,6 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints - [Releases](../../api/releases/index.md). - [Terraform plan](../../user/infrastructure/index.md). -The token has the same permissions to access the API as the user that executes the The token has the same permissions to access the API as the user that caused the job to run. A user can cause a job to run by pushing a commit, triggering a manual job, being the owner of a scheduled pipeline, and so on. Therefore, this user must be assigned to @@ -95,7 +94,7 @@ The job token scope is only for controlling access to private projects. 1. Expand **Token Access**. 1. Toggle **Limit CI_JOB_TOKEN access** to enabled. 1. Optional. Add existing projects to the token's access scope. The user adding a - project must have the [maintainer role](../../user/permissions.md) in both projects. + project must have the Maintainer role in both projects. There is [a proposal](https://gitlab.com/groups/gitlab-org/-/epics/3559) to improve the feature with more strategic control of the access permissions. diff --git a/doc/ci/jobs/index.md b/doc/ci/jobs/index.md index 104badb782c..39e14d0d20a 100644 --- a/doc/ci/jobs/index.md +++ b/doc/ci/jobs/index.md @@ -95,6 +95,9 @@ You can't use these keywords as job names: - `variables` - `cache` - `include` +- `true` +- `false` +- `nil` Job names must be 255 characters or less. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/342800) in GitLab 14.5, [with a feature flag](../../administration/feature_flags.md) named `ci_validate_job_length`. diff --git a/doc/ci/jobs/job_control.md b/doc/ci/jobs/job_control.md index a2406a68bb2..6523de0ed1e 100644 --- a/doc/ci/jobs/job_control.md +++ b/doc/ci/jobs/job_control.md @@ -220,7 +220,7 @@ check the value of the `$CI_PIPELINE_SOURCE` variable: | `chat` | For pipelines created by using a [GitLab ChatOps](../chatops/index.md) command. | | `external` | When you use CI services other than GitLab. | | `external_pull_request_event` | When an external pull request on GitHub is created or updated. See [Pipelines for external pull requests](../ci_cd_for_external_repos/index.md#pipelines-for-external-pull-requests). | -| `merge_request_event` | For pipelines created when a merge request is created or updated. Required to enable [merge request pipelines](../pipelines/merge_request_pipelines.md), [merged results pipelines](../pipelines/pipelines_for_merged_results.md), and [merge trains](../pipelines/merge_trains.md). | +| `merge_request_event` | For pipelines created when a merge request is created or updated. Required to enable [merge request pipelines](../pipelines/merge_request_pipelines.md), [merged results pipelines](../pipelines/merged_results_pipelines.md), and [merge trains](../pipelines/merge_trains.md). | | `parent_pipeline` | For pipelines triggered by a [parent/child pipeline](../pipelines/parent_child_pipelines.md) with `rules`. Use this pipeline source in the child pipeline configuration so that it can be triggered by the parent pipeline. | | `pipeline` | For [multi-project pipelines](../pipelines/multi_project_pipelines.md) created by [using the API with `CI_JOB_TOKEN`](../pipelines/multi_project_pipelines.md#create-multi-project-pipelines-by-using-the-api), or the [`trigger`](../yaml/index.md#trigger) keyword. | | `push` | For pipelines triggered by a `git push` event, including for branches and tags. | @@ -263,6 +263,9 @@ Other commonly used variables for `if` clauses: branch. Use when you want to have the same configuration in multiple projects with different default branches. - `if: '$CI_COMMIT_BRANCH =~ /regex-expression/'`: If the commit branch matches a regular expression. +- `if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_TITLE =~ /Merge branch.*/`: + If the commit branch is the default branch and the commit message title matches a regular expression. + For example, the default commit message for a merge commit starts with `Merge branch`. - `if: '$CUSTOM_VARIABLE !~ /regex-expression/'`: If the [custom variable](../variables/index.md#custom-cicd-variables) `CUSTOM_VARIABLE` does **not** match a regular expression. - `if: '$CUSTOM_VARIABLE == "value1"'`: If the custom variable `CUSTOM_VARIABLE` is @@ -406,9 +409,9 @@ the `build` job is still skipped. The job does not run for any of the files. With some configurations that use `changes`, [jobs or pipelines might run unexpectedly](#jobs-or-pipelines-run-unexpectedly-when-using-changes) -#### Use `only:changes` with pipelines for merge requests +#### Use `only:changes` with merge request pipelines -With [pipelines for merge requests](../pipelines/merge_request_pipelines.md), +With [merge request pipelines](../pipelines/merge_request_pipelines.md), it's possible to define a job to be created based on files modified in a merge request. @@ -704,9 +707,12 @@ deploystacks: [gcp, data] deploystacks: [vultr, data] ``` -In [GitLab 14.1 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/239737), you can -use the variables defined in `parallel: matrix` with the [`tags`](../yaml/index.md#tags) keyword for -dynamic runner selection. +### Select different runner tags for each parallel matrix job + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/239737) in GitLab 14.1. + +You can use variables defined in `parallel: matrix` with the [`tags`](../yaml/index.md#tags) +keyword for dynamic runner selection: ```yaml deploystacks: @@ -931,7 +937,7 @@ For example: You might have jobs or pipelines that run unexpectedly when using [`rules: changes`](../yaml/index.md#ruleschanges) or [`only: changes`](../yaml/index.md#onlychanges--exceptchanges) without -[pipelines for merge requests](../pipelines/merge_request_pipelines.md). +[merge request pipelines](../pipelines/merge_request_pipelines.md). Pipelines on branches or tags that don't have an explicit association with a merge request use a previous SHA to calculate the diff. This calculation is equivalent to `git diff HEAD~` @@ -944,3 +950,19 @@ and can cause unexpected behavior, including: Additionally, rules with `changes` always evaluate as true in [scheduled pipelines](../pipelines/schedules.md). All files are considered to have changed when a scheduled pipeline runs, so jobs might always be added to scheduled pipelines that use `changes`. + +### `You are not allowed to download code from this project.` error message + +You might see pipelines fail when a GitLab administrator runs a protected manual job +in a private project. + +CI/CD jobs usually clone the project when the job starts, and this uses [the permissions](../../user/permissions.md#job-permissions) +of the user that runs the job. All users, including administrators, must be direct members +of a private project to clone the source of that project. [An issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/23130) +to change this behavior. + +To run protected manual jobs: + +- Add the administrator as a direct member of the private project (any role) +- [Impersonate a user](../../user/admin_area/index.md#user-impersonation) who is a + direct member of the project. |