Environment.action: access and verify should not require the roles configured for protected environments

Release notes

Problem to solve

As a Release Manager, I want to make sure that engineers can run "plan" jobs that do not change the environment without maintainer rights or any special roles and processes.

The environment.action CI attribute has 5 valid values:

• start (default)
• stop
• prepare
• access
• verify

We learned that prepare/access/verify are identical in terms of behaviour. At the same time, there are various requests asking for different behaviour in different use cases. We want to provide the following setup:

require approval \ reset timer	❌ reset timer	✅ reset timer
❌ approval	verify	access
✅ approval	❓	prepare

A strongly related issue is Environment.action: prepare should require the ... (#437132) that strengthens the requirements on prepare.

Proposal

Today, all jobs with environment.action: verify|access to a protected environment only allow users in the “allowed to deploy” configuration to run them. Remove this requirement and allow verify/access jobs to be triggered by regular (Developer) users.

Intended users

• Rachel (Release Manager)
• Sasha (Software Developer)*

Feature Usage Metrics

• MAU of environment.action jobs by value

Does this feature require an audit event?

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.