diff --git a/data/deprecations/17-9-runner-pull-policy-validation.yml b/data/deprecations/17-9-runner-pull-policy-validation.yml new file mode 100644 index 0000000000000000000000000000000000000000..611c2c77ed38c8018c9b1aef49f7d87513aae294 --- /dev/null +++ b/data/deprecations/17-9-runner-pull-policy-validation.yml @@ -0,0 +1,26 @@ +- title: Reject container image pull policies not in `allowed_pull_policies` + # The milestones for the deprecation announcement, and the removal. + removal_milestone: "18.0" + announcement_milestone: "17.9" + # Change breaking_change to false if needed. + breaking_change: true + window: # Can be 1, 2, or 3 - The window when the breaking change will be deployed on GitLab.com + reporter: deastman # The GitLab username of the person reporting the change + stage: verify + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/516107 + # Use the impact calculator https://gitlab-com.gitlab.io/gl-infra/breaking-change-impact-calculator/? + impact: medium # Can be one of: [critical, high, medium, low] + scope: instance, group, project # Can be one or a combination of: [instance, group, project] + resolution_role: Maintainer # Can be one of: [Admin, Owner, Maintainer, Developer] + manual_task: true # Can be true or false. Use this to denote whether a resolution action must be performed manually (true), or if it can be automated by using the API or other automation (false). + body: | # (required) Don't change this line. + All configured pull-policies should be present in the + [`allowed_pull_policies` configuration](https://docs.gitlab.com/runner/executors/docker.html#allow-docker-pull-policies) + specified in the runner's `config.toml` file. If they are not, the job should fail with an `incompatible pull policy` error. + + In the current implementation, when multiple pull policies are defined, jobs pass if at least one pull policy + matches those in `allowed-pull-policies`, even if other policies are not included. + + In GitLab 18.0, jobs will fail only if none of the pull policies match those in `allowed-pull-policies`. + However, unlike the current behavior, jobs will use only the pull policies listed in `allowed-pull-policies`. + This distinction can cause jobs that currently pass to fail in GitLab 18.0. diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 6e086c9cbe5ddfe8129317b9afd85b6fd25ffb90..56ebc00ce437128d429896917f3c5b537c09459a 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -1262,6 +1262,31 @@ This change is a breaking change. You should [create a runner in the UI](https:/ <div class="deprecation breaking-change" data-milestone="18.0"> +### Reject container image pull policies not in `allowed_pull_policies` + +<div class="deprecation-notes"> + +- Announced in GitLab <span class="milestone">17.9</span> +- Removal in GitLab <span class="milestone">18.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change)) +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/516107). + +</div> + +All configured pull-policies should be present in the +[`allowed_pull_policies` configuration](https://docs.gitlab.com/runner/executors/docker.html#allow-docker-pull-policies) +specified in the runner's `config.toml` file. If they are not, the job should fail with an `incompatible pull policy` error. + +In the current implementation, when multiple pull policies are defined, jobs pass if at least one pull policy +matches those in `allowed-pull-policies`, even if other policies are not included. + +In GitLab 18.0, jobs will fail only if none of the pull policies match those in `allowed-pull-policies`. +However, unlike the current behavior, jobs will use only the pull policies listed in `allowed-pull-policies`. +This distinction can cause jobs that currently pass to fail in GitLab 18.0. + +</div> + +<div class="deprecation breaking-change" data-milestone="18.0"> + ### Removal of `migrationState` field in `ContainerRepository` GraphQL API <div class="deprecation-notes">