Login/Register
How do I configure gitlab CI jobs to run on protected branches only?
Asked Answered
Solved gitlab-ci
F

5

19

I am trying to configure a gitlab CI job to run only on the restricted branches, but I cannot find an only directive to do this.

Ferreby answered 27/2, 2019 at 8:35 Comment(0)
V
9

In Gitlab 11.11 you can check this accessing the environment variable CI_COMMIT_REF_PROTECTED

only:
    variables:
        - $CI_COMMIT_REF_PROTECTED

Reference:

Villalba answered 19/11, 2019 at 18:8 Comment(3)
I believe that this should use $CI_COMMIT_REF_PROTECTED instead of CI_COMMIT_REF_PROTECTED. source: docs.gitlab.com/ee/ci/variables/README.html#supported-syntaxPeculiarity
Even with the suggestion above, this is still incorrect. The correct solution is sufficiently different that I will post my own answer.Peculiarity
only:variables: has been deprecatedMasoretic
S
36

rules:if should be used.

rules:
  - if: $CI_COMMIT_REF_PROTECTED == "true"

only:variables: has been deprecated

Saito answered 24/6, 2021 at 20:20 Comment(0)
P
13

Using only:variables: combined with CI_COMMIT_REF_PROTECTED seems to be a good solution to your problem, but the details are difficult to determine without experimentation.

The documentation of the predefined variable CI_COMMIT_REF_PROTECTED is a bit unclear.

If the job is running on a protected branch

I expected CI_COMMIT_REF_PROTECTED to be set only if the branch is protected, but it appears that it is a boolean value instead. This means we should check for the string "true" rather than existence of the variable. See variables -> supported syntax, rule 1. Equality matching using a string.

Putting this together, I'd say a complete solution that clearly expresses your intentions would be:

only:
  refs:
    - branches
  variables:
    - $CI_COMMIT_REF_PROTECTED == "true"

The refs:branches is required if you don't want the job to run on protected tags.

Peculiarity answered 24/11, 2019 at 23:12 Comment(2)
Thanks for the hint, I suggested a different warning on the official documentation MR 26491 that should land soon.Liturgist
only:variables: has been deprecated. To control when to add jobs to pipelines, use rules instead.Masoretic
V
9

In Gitlab 11.11 you can check this accessing the environment variable CI_COMMIT_REF_PROTECTED

only:
    variables:
        - $CI_COMMIT_REF_PROTECTED

Reference:

Villalba answered 19/11, 2019 at 18:8 Comment(3)
I believe that this should use $CI_COMMIT_REF_PROTECTED instead of CI_COMMIT_REF_PROTECTED. source: docs.gitlab.com/ee/ci/variables/README.html#supported-syntaxPeculiarity
Even with the suggestion above, this is still incorrect. The correct solution is sufficiently different that I will post my own answer.Peculiarity
only:variables: has been deprecatedMasoretic
F
2

You can add a protected variable to your project (or group). Assuming you have set a variable PROTECTED with an arbitrary value you can use 

only:
    variables:
        - $PROTECTED

in your .gitlab-ci.yml to check if the variable is present (since protected variables are only passed on to protected branches).

Ferrous answered 27/2, 2019 at 11:6 Comment(2)
This is a possible solution, but I was looking for something that was more built-in gitlab. In other words: 'why do I need to add a useless variable do specify jobs that should run on protected branches only?'. Nevertheless thanks for the tip. I can accept this answer if there is no standard way to do this.Ferreby
only:variables: has been deprecatedMasoretic
N
0

I am having similar issue, given that I am using free tier I cant lock files or do anything special. So, what I did is, pipelines can run per every MR but required variables to run are only going to be in protected branches, which are required for my pipeline to pass, this was enough for my use case

Naara answered 10/7 at 14:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.