Pipeline works on commit, fails on MR run

I’m working on some labs from the Gitlab Partner Bootcamp. I’m creating a .gitlab-ci.yml file, and started with the Auto-Devops template. I added a “scan” stage. When I make commits, the entire pipeline runs just fine, no issues. But when I create a MR, the pipeline fails instantly. Instead of having many stages and jobs, it only shows my “scan:security-scans” stage/job, and it failed with the message security-scans - failed - (downstream pipeline can not be created, No stages / jobs for this pipeline.). I’ve been working on this all afternoon and can’t figure it out. Any pointers?

Edit with more info: my repo includes dockerfile, index.js, and package.json files. So I believe it should be running, as at least those rules match. The variables in the if block have not been explicitly defined. Removing the workflow block, allows everything to run normally. At this point I just want to understand what’s going on, as the behavior is the exact opposite of what I expected.

image: alpine:latest

  # KUBE_INGRESS_BASE_DOMAIN is the application deployment domain and should be set as a variable at the group or project level.
  # KUBE_INGRESS_BASE_DOMAIN: domain.example.com

  POSTGRES_PASSWORD: testing-password

  DOCKER_DRIVER: overlay2


  DOCKER_TLS_CERTDIR: ""  # https://gitlab.com/gitlab-org/gitlab-runner/issues/4501

  - build
  - test
  - scan
  - deploy  # dummy stage to follow the template guidelines
  - review
  - dast
  - staging
  - canary
  - production
  - incremental rollout 10%
  - incremental rollout 25%
  - incremental rollout 50%
  - incremental rollout 100%
  - performance
  - cleanup

    stage: scan
            - template: Security/License-Scanning.gitlab-ci.yml
            - template: Security/Container-Scanning.gitlab-ci.yml
            - template: Security/Dependency-Scanning.gitlab-ci.yml

        - node_modules


    - exists:
        - Dockerfile

    # https://github.com/heroku/heroku-buildpack-clojure
    - exists:
        - project.clj

    # https://github.com/heroku/heroku-buildpack-go
    - exists:
        - go.mod
        - Gopkg.mod
        - Godeps/Godeps.json
        - vendor/vendor.json
        - glide.yaml
        - src/**/*.go

    # https://github.com/heroku/heroku-buildpack-gradle
    - exists:
        - gradlew
        - build.gradle
        - settings.gradle

    # https://github.com/heroku/heroku-buildpack-java
    - exists:
        - pom.xml
        - pom.atom
        - pom.clj
        - pom.groovy
        - pom.rb
        - pom.scala
        - pom.yaml
        - pom.yml

    # https://github.com/heroku/heroku-buildpack-multi
    - exists:
        - .buildpacks

    # https://github.com/heroku/heroku-buildpack-nodejs
    - exists:
        - package.json

    # https://github.com/heroku/heroku-buildpack-php
    - exists:
        - composer.json
        - index.php

    # https://github.com/heroku/heroku-buildpack-play
    # TODO: detect script excludes some scala files
    - exists:
        - '**/conf/application.conf'

    # https://github.com/heroku/heroku-buildpack-python
    # TODO: detect script checks that all of these exist, not any
    - exists:
        - requirements.txt
        - setup.py
        - Pipfile

    # https://github.com/heroku/heroku-buildpack-ruby
    - exists:
        - Gemfile

    # https://github.com/heroku/heroku-buildpack-scala
    - exists:
        - '*.sbt'
        - project/*.scala
        - .sbt/*.scala
        - project/build.properties

    # https://github.com/dokku/buildpack-nginx
    - exists:
        - .static

# NOTE: These links point to the latest templates for development in GitLab canonical project,
# therefore the actual templates that were included for Auto DevOps pipelines
# could be different from the contents in the links.
# To view the actual templates, please replace `master` to the specific GitLab version when
# the Auto DevOps pipeline started running e.g. `v13.0.2-ee`.
  - template: Jobs/Build.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
  - template: Jobs/Test.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml
  - template: Jobs/Code-Quality.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/Code-Intelligence.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Code-Intelligence.gitlab-ci.yml
  - template: Jobs/Deploy.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml
  - template: Jobs/Deploy/ECS.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml
  - template: Jobs/Deploy/EC2.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Deploy/EC2.gitlab-ci.yml
  - template: Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml
  - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml
  - template: Security/DAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
  #- template: Security/Container-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
  #- template: Security/Dependency-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
  #- template: Security/License-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml

Hello @ccq1994,

I’m amazed that this was working at all using

    - template: [path/to/template]

For starters, the Gitlab CI pipeline reference has no mention of supporting template with a trigger -> include.

Looking at the first template though Security/Container-Scanning.gitlab-ci.yml, you can see that there is a rule in the template that checks that CI_COMMIT_BRANCH is required to be set in order to run. Looking at the predefined CI/CD environment variables, that environment variable will not be set for MRs.

Templates are convenient and powerful things, however you must be cautious and carefully read their behavior prior to using them.