Merge branch 'andyschoenen/add-ensure_pipeline_policy_pre_stage_complete_group-ff' into 'master'

Add additional group level feature flag for ensure_pipeline_policy_pre_stage_complete See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176192 Merged-by: Pedro Pombeiro <noreply@pedro.pombei.ro> Approved-by: Marcos Rocha <mrocha@gitlab.com> Approved-by: Pedro Pombeiro <noreply@pedro.pombei.ro> Reviewed-by: Pedro Pombeiro <noreply@pedro.pombei.ro> Co-authored-by: Andy Schoenen <aschoenen@gitlab.com>

Merge branch 'andyschoenen/add-ensure_pipeline_policy_pre_stage_complete_group-ff' into 'master'
1730cfb2 · Pedro Pombeiro · GitLab · d58c29e8 · 1f6d098e · 1730cfb2
--- a/ee/app/services/ee/ci/pipeline_processing/atomic_processing_service.rb
+++ b/ee/app/services/ee/ci/pipeline_processing/atomic_processing_service.rb
@@ -20,7 +20,7 @@ def status_of_previous_jobs_dag(job)
        # pipeline-policy-pre stage is not completed. This is to
        # ensure jobs can not circumvent enforces security checks.
        def calculate_status_based_on_policy_pre_stage(status, job)
-          return status if ensure_pipeline_policy_pre_stage_complete_disabled?
+          return status unless ensure_pipeline_policy_pre_stage_complete_enabled?
          return status unless policy_pre_stage || job_on_policy_pre_stage?(job)

          policy_pre_stage_completed? ? status : 'running'
@@ -42,10 +42,11 @@ def policy_pre_stage
        end
        strong_memoize_attr :policy_pre_stage

-        def ensure_pipeline_policy_pre_stage_complete_disabled?
-          ::Feature.disabled?(:ensure_pipeline_policy_pre_stage_complete, pipeline.project)
+        def ensure_pipeline_policy_pre_stage_complete_enabled?
+          ::Feature.enabled?(:ensure_pipeline_policy_pre_stage_complete, pipeline.project) ||
+            ::Feature.enabled?(:ensure_pipeline_policy_pre_stage_complete_group, pipeline.project.group)
        end
-        strong_memoize_attr :ensure_pipeline_policy_pre_stage_complete_disabled?
+        strong_memoize_attr :ensure_pipeline_policy_pre_stage_complete_enabled?
      end
    end
  end

--- a/ee/config/feature_flags/beta/ensure_pipeline_policy_pre_stage_complete_group.yml
+++ b/ee/config/feature_flags/beta/ensure_pipeline_policy_pre_stage_complete_group.yml
+---
+name: ensure_pipeline_policy_pre_stage_complete_group
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/469256
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176192
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/500652
+milestone: '17.8'
+group: group::security policies
+type: beta
+default_enabled: false
--- a/ee/spec/services/ee/ci/pipeline_processing/atomic_processing_service_spec.rb
+++ b/ee/spec/services/ee/ci/pipeline_processing/atomic_processing_service_spec.rb
@@ -425,9 +425,10 @@
          end
        end

-        context 'when the ensure_pipeline_policy_pre_stage_complete feature is disabled' do
+        context 'when both feature flags are disabled' do
          before do
            stub_feature_flags(ensure_pipeline_policy_pre_stage_complete: false)
+            stub_feature_flags(ensure_pipeline_policy_pre_stage_complete_group: false)
          end

          it 'creates a pipeline with policy_job and bridge_dag_job pending', :aggregate_failures do