From 78a6c28a0da8efdf6130f318b36ebb2f0b69af93 Mon Sep 17 00:00:00 2001
From: Grant Hickman <ghickman@gitlab.com>
Date: Thu, 22 Feb 2024 23:35:52 +0000
Subject: [PATCH] Excluded analyzers variable behavior change

---
 ...luded-analyzer-variable-behavior-change.yml | 13 +++++++++++++
 doc/update/deprecations.md                     | 18 ++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 data/deprecations/16-9-excluded-analyzer-variable-behavior-change.yml

diff --git a/data/deprecations/16-9-excluded-analyzer-variable-behavior-change.yml b/data/deprecations/16-9-excluded-analyzer-variable-behavior-change.yml
new file mode 100644
index 0000000000000..ab34361a14361
--- /dev/null
+++ b/data/deprecations/16-9-excluded-analyzer-variable-behavior-change.yml
@@ -0,0 +1,13 @@
+- title: "Scan execution policies enforcing scans with an `_EXCLUDED_ANALYZERS` variable will override project variables"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+  removal_milestone: "17.0"  # (required) The milestone when this feature is planned to be removed
+  announcement_milestone: "16.9"  # (required) The milestone when this feature was first announced as deprecated.
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: g.hickman  # (required) GitLab username of the person reporting the change
+  stage: govern  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/424513  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    After delivering and verifying [Enforce SEP variables with the highest precedence](https://gitlab.com/gitlab-org/gitlab/-/issues/424028), we have discovered unintended behavior, allowing users to set `_EXCLUDED_PATHS` in pipeline configuration and preventing them from setting `_EXCLUDED_ANALYZERS` in both policy and pipeline configuration.
+
+    To ensure proper enforcement of scan execution variables, when an `_EXCLUDED_ANALYZERS` or `_EXCLUDED_PATHS` variables are specified for a scan execution policy using the GitLab scan action, the variable will now override any project variables defined for excluded analyzers.
+
+    Users may enable the feature flag to enforce this behavior before 17.0. In 17.0, projects leveraging the `_EXCLUDED_ANALYZERS`/`_EXCLUDED_PATHS` variable where a scan execution policy with the variable is defined will be overridden by default.
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index a6e4a3f0ffa41..a3ae607128f42 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -1640,6 +1640,24 @@ If you applied customizations to the removed analyzers, or if you currently disa
 
 <div class="deprecation breaking-change" data-milestone="17.0">
 
+### Scan execution policies enforcing scans with an `_EXCLUDED_ANALYZERS` variable will override project variables
+
+<div class="deprecation-notes">
+- Announced in GitLab <span class="milestone">16.9</span>
+- Removal in GitLab <span class="milestone">17.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/424513).
+</div>
+
+After delivering and verifying [Enforce SEP variables with the highest precedence](https://gitlab.com/gitlab-org/gitlab/-/issues/424028), we have discovered unintended behavior, allowing users to set `_EXCLUDED_PATHS` in pipeline configuration and preventing them from setting `_EXCLUDED_ANALYZERS` in both policy and pipeline configuration.
+
+To ensure proper enforcement of scan execution variables, when an `_EXCLUDED_ANALYZERS` or `_EXCLUDED_PATHS` variables are specified for a scan execution policy using the GitLab scan action, the variable will now override any project variables defined for excluded analyzers.
+
+Users may enable the feature flag to enforce this behavior before 17.0. In 17.0, projects leveraging the `_EXCLUDED_ANALYZERS`/`_EXCLUDED_PATHS` variable where a scan execution policy with the variable is defined will be overridden by default.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="17.0">
+
 ### Secure analyzers major version update
 
 <div class="deprecation-notes">
-- 
GitLab