yaml.gitlab.correctness.changes-with-when-never.changes-with-when-never

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

This Gitlab CI YAML will never run on default branches due to a changes rule with when:never. To fix this, make sure the triggering event is a push event. You can do this with if: '$CI_PIPELINE_SOURCE == "push"'. See https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: changes-with-when-never
    pattern: |
      - changes:
        - ...
        when: never
    message: "This Gitlab CI YAML will never run on default branches due to a
      `changes` rule with `when:never`. To fix this, make sure the triggering
      event is a push event. You can do this with `if: '$CI_PIPELINE_SOURCE ==
      \"push\"'`. See
      https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges"
    metadata:
      category: correctness
      technology:
        - gitlab
        - gitlab-ci
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING

Examples

changes-with-when-never.test.yaml

.bad_sast_template_cz_rules:
  rules:
    #ruleid: changes-with-when-never
    - changes:
        - .somefile
      when: never
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: always
    - if: $CI_MERGE_REQUEST_IID
      when: always
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      when: always

.good_sast_template_cz_rules:
  rules:
    #ok: changes-with-when-never
    - if: $CI_MERGE_REQUEST_IID
      changes:
        - .somefile
      when: never
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: always
    - if: $CI_MERGE_REQUEST_IID
      when: always
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      when: always