tags - Gitlab CI : Run Pipeline job only for tagged commits that exist on protected branches

Question

我想创建一个仅在满足以下两个条件时才运行的管道:

标签引用给定的提交

提交存在于任何 protected 分支(即主分支)

可选:无论何时将标记的未 protected 分支合并(使用合并请求)到 protected 分支或将标记添加到 protected 分支，都应运行该作业。

我试过了:

publish:
  stage: publish
  script:
    - echo "Publish!"
  rules:
    # Only publish if tag given and commit is present on a protected branch
    - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'

哪个不能用作 $CI_COMMIT_TAG已设置 或 $CI_COMMIT_REF_PROTECTED设置为真。
我知道类似的问题: Gitlab ci run job on master with release tag only和 How to run a gitlab-ci.yml job only on a tagged branch? .
我也知道在 gitlab 的问题中有/曾经有过广泛的讨论，有一些解决方案(或接近于此的解决方案)，如 this .
一般的问题似乎是，在 gitlab 中无法确定在给定分支上的提交是否可靠，因为未提供此信息(git 历史记录)。
这个问题是为了在 gitlab CI 中跟踪这个常见用例的正确解决方案。

Answer 1

结合workaround mentioned在与新 gitlab rule 的问题中和 workflow我想出了一个对我来说似乎令人满意的答案。
最初发布解决方法的人提到在某些情况下 git branch contains没有给出正确的结果。
所以确保，git fetch不制作浅拷贝(请注意，将 GIT_STRATEGY 更改为克隆可能很有用，以便删除旧的可能浅拷贝)。
而不是使用 CI_COMMIT_REF_PROTECTED对于 protected 标签也可能如此，我将主分支硬编码为 protected 。

# Be quite strict in what can trigger a pipeline, actually only pushes of
# branches or version tags should trigger anything - otherwise we need to catch
# too many edge cases.
workflow:
  rules:
    # Do no allow manually triggered pipelines to prevent duplicates!
    # Instead rerun the pipeline created with the last push
    - if: $CI_PIPELINE_SOURCE != "push"
      when: never
    # Only execute when a valid version tag like v1.0, 2.3 or similar is given
    # Required is always one point like 1.0
    - if: $CI_COMMIT_TAG =~ /^v?[0-9]+[.][0-9]+([.][0-9]+)?$/
    - if: $CI_COMMIT_BRANCH
variables:
  # Make sure we don't get a shallow copy
  GIT_DEPTH: 0
  # Fetch is default just to make clear what is used
  GIT_STRATEGY: fetch
  # make sure we fetch everything and also see what is happening
  GIT_FETCH_EXTRA_FLAGS: -f --tags --prune --update-head-ok

default:
  before_script:
    - export CI_LOG_LINE=$(git log --decorate=full| grep "^commit $CI_COMMIT_SHA[ ]")
    # var = 1 if the current commit is the **latest** on master
    - export IS_ON_MASTER=$(echo $CI_LOG_LINE | grep -qso "origin/master, " && echo 1 || echo 0)
    # var = 1 if current commit is on any remote commit that is part of masters history
    - export COMMIT_ON_MASTER=$(git branch -r --contains $CI_COMMIT_SHA | grep -Eq '^[ ]+origin/master$'  && echo 1 || echo 0)


stages:
  - check_update_environment

check_update_environment:
  stage: check_update_environment
  script:
    # Lets print some debug stuff
    - echo $CI_JOB_TRIGGERED
    - echo $CI_PIPELINE_SOURCE
    - echo $CI_COMMIT_SHA
    - echo $CI_COMMIT_REF_NAME
    - echo $CI_BUILD_REF
    - echo $CI_COMMIT_BRANCH
    - echo $CI_COMMIT_TAG
    # Get the information about the state of the current commit
    - git log --decorate=full| grep "^commit $CI_COMMIT_SHA[ ]" || echo "Failed???"
    - git status
    - git remote show
    # Show current branch --> normally fails - only for kept for reference
    - git symbolic-ref --short HEAD || echo "Doesn't work"
    # Some more possible debug information
    - git branch --contains $CI_BUILD_REF
    - git tag --contains $CI_BUILD_REF
    - env
    # **Finally the important part**
    # Exit if tag is given on none master branch early
    - if [[ ! -z "$CI_COMMIT_TAG" && $COMMIT_ON_MASTER != 1 ]]; then
         echo "Tags should never be applied to non master branches!" >&2;
         echo "We quit early! Please delete the tag, merge the branch to master and recreate the tag to continue" >&2;
         exit 1;
      fi

test:
  stage: test
  script:
    - echo "Doing testing..."
  dependencies:
    - check_update_environment

publish:
  stage: publish
  script:
    - echo "Publishing..."
  rules:
    # Run always if there is version tag. The version tag is defined
    #   in the workflow rules
    # Due to the fail early in the environment check this is never done for
    # branches that aren't master
    - if: $CI_COMMIT_TAG
  dependencies:
    - test