How do i restrict a gitlab stage to be only built on merge request to main branch with manual execution

I have the below code

but it doesnot run on merge request to main

image:
name: hashicorp/terraform:latest
entrypoint: [“”]

stages:

  • plan
  • apply

plan:
stage: plan
script:
- echo “initialization”
- echo “PLAN started and completed”
rules:
- if: ‘$CI_PIPELINE_SOURCE == “merge_request_event” || $CI_PIPELINE_SOURCE == “push” && $CI_COMMIT_REF_NAME =~ /^feature/ && $CI_COMMIT_REF_NAME != /^dev/ && $CI_COMMIT_REF_NAME != /^main/’

apply:
stage: apply
script:
- terraform apply --auto-approve
rules:
- if: ‘$CI_PIPELINE_SOURCE == “merge_request_event” && $CI_PIPELINE_TRIGGERED == “true” && $CI_COMMIT_REF_NAME == “main” && $CI_COMMIT_REF_NAME !~ /^dev/ && $CI_COMMIT_REF_NAME !~ /^feature/’
when: manual

Can anyone suggest to fix this?

your rules don’t make sense, please describe in words when should the jobs run.

it doesnot run on merge request to main

The .gitlab-ci.yml file you provided describes two stages: plan and apply. Each of these stages has a job associated with it, and each job has a set of rules that determine when the job should run. Here’s a plain English explanation of when these jobs will run based on their rules:

  1. Plan Stage: This stage has a single job that will run if the pipeline source is a merge request event or a push event to a branch whose name starts with “feature”. However, it will not run if the branch name starts with “dev” or “main”. In other words, this job will run when a merge request is created or updated, or when a push is made to a feature branch (i.e., a branch whose name starts with “feature”), unless the branch is named “dev” or “main”.
  2. Apply Stage: This stage also has a single job, but it will only run under more specific conditions. This job will run if the pipeline source is a merge request event, the pipeline was triggered, and the branch name is “main”. However, it will not run if the branch name starts with “dev” or “feature”. Furthermore, this job requires manual intervention to run, meaning it won’t run automatically even if all conditions are met. It needs to be manually triggered by a user.

The plan job specifically indicates that the job should not run on main (&& $CI_COMMIT_REF_NAME != /^main/’)

The apply job is a manual job, so it won’t execute automatically.

The apply job also has && $CI_PIPELINE_TRIGGERED == “true” as a necessary condition. If all you have in your .gitlab-ci.yml is what you shared, CI_PIPELINE_TRIGGERED will never be automatically true.

The plan job is part of plan stage, and apply job is part of apply stage. Stages define the order in which jobs will execute. In this scenario:

stages:
  - plan
  - apply

The apply job will only run if all jobs from the plan stage are successful. If the plan job fails, the apply job will not be able to run because jobs in later stages are not run if any job in a previous stage fails.

Ultimately I think we need to untangle the logic you’re using to define rules and stages for these jobs.

Can you explain and provide additional details about the desired behavior for these jobs so we can assist you further?

You got the logic right. @gitlab-greg

I have manage to solve the issue by using the following pipeline rules :

image:
name: hashicorp/terraform:latest
entrypoint: [“”]

stages:

  • plan
  • apply

plan:
stage: plan
script:
- echo “initialization”
- terraform init
artifacts:
name: terraform_dependency
paths:
- “.terraform/”
- “.terraform.lock.hcl”
rules:
- if: ‘$CI_PIPELINE_SOURCE == “merge_request_event” || $CI_PIPELINE_SOURCE == “push” && $CI_COMMIT_REF_NAME =~ /^feature/ && $CI_COMMIT_REF_NAME != /^dev/ && $CI_COMMIT_REF_NAME != /^main/’

apply:
stage: apply
script:
- terraform apply --auto-approve
rules:
- if: ‘$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == “dev” && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == “main”’
when: manual

@balonik Hope this makes sense to you.

1 Like