From c0e45a529cb5f1bc352aca4e929f7ff47c74f88b Mon Sep 17 00:00:00 2001
From: Timo Furrer <tuxtimo@gmail.com>
Date: Fri, 14 Mar 2025 09:03:47 +0100
Subject: [PATCH] Change all potentially destructive jobs to manual by default

This patch changes the default for all jobs that perform potentially
destructive or state-changing actions to manual.

This only affects the job templates, not the opinionated pipeline
templates.

Closes https://gitlab.com/components/opentofu/-/issues/117

Changelog: changed
---
 templates/apply.yml                                         | 5 +----
 templates/delete-state.yml                                  | 5 +----
 templates/destroy.yml                                       | 5 +----
 tests/integration-tests/AutoEncryption.gitlab-ci.yml        | 1 +
 tests/integration-tests/AutoEncryptionMigrate.gitlab-ci.yml | 3 +++
 5 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/templates/apply.yml b/templates/apply.yml
index 3b98e55..be1c76c 100644
--- a/templates/apply.yml
+++ b/templates/apply.yml
@@ -76,10 +76,7 @@ spec:
       type: string
       description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
     rules:
-      # FIXME: eventually, we'll want to define `null` as the default,
-      # but this is NOT support yet, see
-      # https://gitlab.com/gitlab-org/gitlab/-/issues/440468
-      default: [{when: on_success}]
+      default: [{when: manual}]
       type: array
       description: 'Defines the `rules` of the job.'
     cache_policy:
diff --git a/templates/delete-state.yml b/templates/delete-state.yml
index cf6eee8..717ff43 100644
--- a/templates/delete-state.yml
+++ b/templates/delete-state.yml
@@ -16,10 +16,7 @@ spec:
       default: 'true'
       description: 'Wheather the delete-state job should be created or not.'
     rules:
-      # FIXME: eventually, we'll want to define `null` as the default,
-      # but this is NOT support yet, see
-      # https://gitlab.com/gitlab-org/gitlab/-/issues/440468
-      default: [{when: on_success}]
+      default: [{when: manual}]
       type: array
       description: 'Defines the `rules` of the job.'
 
diff --git a/templates/destroy.yml b/templates/destroy.yml
index fa350f8..45e0997 100644
--- a/templates/destroy.yml
+++ b/templates/destroy.yml
@@ -76,10 +76,7 @@ spec:
       type: string
       description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
     rules:
-      # FIXME: eventually, we'll want to define `null` as the default,
-      # but this is NOT support yet, see
-      # https://gitlab.com/gitlab-org/gitlab/-/issues/440468
-      default: [{when: on_success}]
+      default: [{when: manual}]
       type: array
       description: 'Defines the `rules` of the job.'
     cache_policy:
diff --git a/tests/integration-tests/AutoEncryption.gitlab-ci.yml b/tests/integration-tests/AutoEncryption.gitlab-ci.yml
index e25b098..624efd9 100644
--- a/tests/integration-tests/AutoEncryption.gitlab-ci.yml
+++ b/tests/integration-tests/AutoEncryption.gitlab-ci.yml
@@ -11,6 +11,7 @@ include:
       no_plan: true
       auto_encryption: true
       auto_encryption_passphrase: '947F23E4-B9FC-4E76-B7B4-1D35ECBE9B09'
+      rules: [{when: on_success}]
 
   # For CI Terraform state cleanup
   - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/delete-state@$CI_COMMIT_SHA
diff --git a/tests/integration-tests/AutoEncryptionMigrate.gitlab-ci.yml b/tests/integration-tests/AutoEncryptionMigrate.gitlab-ci.yml
index c2631ad..224f509 100644
--- a/tests/integration-tests/AutoEncryptionMigrate.gitlab-ci.yml
+++ b/tests/integration-tests/AutoEncryptionMigrate.gitlab-ci.yml
@@ -10,6 +10,7 @@ include:
       root_dir: $TEST_GITLAB_TOFU_ROOT_DIR
       state_name: $TEST_GITLAB_TOFU_STATE_NAME
       no_plan: true
+      rules: [{when: on_success}]
 
   - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/apply@$CI_COMMIT_SHA
     inputs:
@@ -25,6 +26,7 @@ include:
       auto_encryption: true
       auto_encryption_passphrase: '947F23E4-B9FC-4E76-B7B4-1D35ECBE9B09'
       auto_encryption_enable_migration_from_unencrypted: true
+      rules: [{when: on_success}]
 
   - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/apply@$CI_COMMIT_SHA
     inputs:
@@ -39,6 +41,7 @@ include:
       no_plan: true
       auto_encryption: true
       auto_encryption_passphrase: '947F23E4-B9FC-4E76-B7B4-1D35ECBE9B09'
+      rules: [{when: on_success}]
 
   # For CI Terraform state cleanup
   - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/delete-state@$CI_COMMIT_SHA
-- 
GitLab