The operational framework of GitLab CI/CD is built upon the premise of continuous integration and automated delivery, yet the necessity for human intervention remains a critical requirement in professional software engineering. While the primary objective of a CI pipeline is to remove manual steps to ensure speed and reliability, there are numerous scenarios where a "manual trigger" is not just a convenience but a safety requirement. Manual jobs allow developers and operations teams to pause the automation flow, perform sanity checks, or provide specific runtime parameters before a high-risk action—such as a production deployment—is executed.
In the GitLab ecosystem, a manual job is one that is configured not to start automatically. Instead, it waits for a user to interact with the GitLab interface or trigger it via the API. This capability transforms a rigid linear pipeline into a flexible tool that can handle conditional deployments, Proof of Concept (PoC) testing, and targeted server updates without risking the stability of the primary application environment.
Pipeline Architecture and Fundamental Components
To understand manual jobs, one must first understand the structural hierarchy of a GitLab CI/CD pipeline. Pipelines are the core engine of the system, configured via a .gitlab-ci.yml file using YAML keywords. These pipelines are available across various tiers, including Free, Premium, and Ultimate, and are supported on GitLab.com, GitLab Self-Managed, and GitLab Dedicated offerings.
A pipeline is composed of three primary structural layers:
- Global YAML Keywords: These are the overarching configurations that dictate the general behavior of the project's pipelines, such as default image settings or global variables.
- Jobs: These are the atomic units of work. A job executes specific commands to accomplish a task, such as compiling code, running a test suite, or deploying a container. Jobs are executed by runners and operate independently of one another.
- Stages: These are the logical groupings of jobs. Stages run in a strict sequential order. For example, a pipeline might have a build stage, followed by a test stage, and finally a deploy stage. All jobs within a single stage run in parallel. If all jobs in a stage succeed, the pipeline advances to the next stage. If a job fails, the subsequent stages are typically blocked, ending the pipeline early.
As a practical example, a standard pipeline might be structured as follows:
- Build Stage: Contains a
compilejob that transforms source code into an executable. - Test Stage: Contains
test1andtest2jobs that run parallel validation suites. These only execute if thecompilejob succeeds. - Deploy Stage: This is where manual jobs are most frequently utilized to ensure a human reviews the test results before pushing to production.
Implementation of Manual Job Control
The primary mechanism for creating a manual job is the use of the when: manual keyword within the job definition. This instruction tells the GitLab runner that the job should be added to the pipeline but should not be executed until a user manually triggers it.
The Role of the Manual Keyword
When a job is marked as when: manual, it appears in the pipeline visualization as a "play" button. The job remains in a pending state and does not consume runner resources until the user interacts with the UI. This is essential for creating "gates" in the deployment process.
However, there is a nuanced difference between a "manual job" and a "manual trigger" as seen in other tools like Jenkins or Bamboo. In GitLab, when: manual means the job is part of the pipeline but requires confirmation. To create a pipeline that only runs when triggered via the web interface (rather than on every push), users may look toward workflow: rules combined with specific variables like $CI_JOB_MANUAL.
Manual Confirmation for High-Risk Actions
For sensitive operations, such as deleting a database or deploying to a production cluster, GitLab provides the manual_confirmation attribute. When used in conjunction with when: manual, this requires the user to explicitly confirm the action before the job starts. This prevents accidental clicks from triggering catastrophic events in a production environment.
Advanced Job Logic and Rules Integration
The behavior of manual jobs can be further refined using the rules keyword, which allows for complex conditional logic.
Conditional Execution and the Problem of Over-Triggering
A common architectural challenge arises when a developer wants a job to run automatically under some conditions but manually under others. Consider a scenario where a metainfo job is designed to validate an XML file. The desired logic is:
1. If the data/metainfo.xml file has changed, run the job automatically.
2. If the file has not changed, allow the job to be run manually (for instance, if the validation binary in the Docker image was updated and needs to re-verify old files).
This is often implemented with the following configuration:
yaml
metainfo:
stage: test
image: "some-image:latest"
script:
- validate-metainfo data/metainfo.xml
needs: ["build@x86_64"]
rules:
- changes:
- data/metainfo.xml
when: always
- when: manual
allow_failure: true
In this configuration, the allow_failure: true attribute is critical. Without it, the manual job is considered "blocking." This means the pipeline will stop at the metainfo job and will not proceed to subsequent stages until a human manually triggers that job. By setting allow_failure: true, the pipeline can continue to later stages even if the manual job is never executed.
The Branch Pipeline Conflict
A known issue in GitLab Community Edition (e.g., v16.9.1) involves branch pipelines. In some configurations, jobs that are supposed to be manual may trigger automatically when a branch is created, regardless of the rules specified. This occurs because the branch creation event can override certain conditional logic, leading to "flooded" pipeline lists where jobs start unexpectedly.
Parameterization and Manual Variable Injection
One of the most significant limitations of native GitLab manual jobs is the difficulty of triggering jobs with custom parameter values on the fly. While GitLab provides a UI for variables, the lack of a native, robust "form-based" input for every manual job can be a bottleneck.
Manual Variable Overrides
When a user triggers a manual job, they can provide specific variables to customize the execution. This is particularly useful for:
- Proof of Concept (PoC) Testing: A developer can push code to a separate branch and use a manual job to push a Docker image to a personal organization instead of the official company registry. This allows the developer to test the build process without breaking the official application.
- Targeted Deployment: In a mono-repo environment with multiple teams and servers, a developer can use the same deployment pipeline but set variables for the specific branch and target server to achieve a precise deployment outcome.
Variable Precedence and Visibility
When variables are provided during a manual trigger:
- Override Logic: If a variable is added during the manual run that already exists in the CI/CD settings or the
.gitlab-ci.ymlfile, the manual value overrides the predefined value. - Masking and Expansion: Variables overridden via this manual process are expanded and are not masked. This means sensitive data could potentially be exposed in the job logs if not handled carefully.
- Visibility: Access to these variables depends on project visibility. In public projects, users with Developer, Maintainer, or Owner roles can manage these. In private or internal projects, roles ranging from Guest and Planner to Owner have varying levels of access.
Retrying Manual Jobs
GitLab allows for the iteration of manual jobs using previously specified variables. From the job details page, users have two primary options:
- Retry: This restarts the job using the exact same variables as the previous run.
- Retry job with modified values: This opens a dropdown form where the previous variables are prefilled, allowing the user to tweak a few parameters before re-running the job. For those requiring typed and validated parameters, GitLab recommends using job inputs.
Security and Governance through Protected Environments
To prevent unauthorized users from triggering critical manual jobs, GitLab utilizes Protected Environments. This feature is available in the Premium and Ultimate tiers across all offerings.
By associating a manual job with a specific environment, organizations can restrict who has the authority to click the "play" button.
Implementation of Protected Manual Jobs
To protect a manual job, an environment must be defined within the job configuration:
yaml
deploy_prod:
stage: deploy
script:
- echo "Deploy to production server"
environment:
name: production
url: https://example.com
when: manual
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
Once the environment is defined in the YAML file, the administrator must navigate to the "Protected Environments" settings in the GitLab UI. From there, they can specify exactly which users, roles, or groups are "Allowed to Deploy." This creates a strict governance model where:
- Only authorized personnel can trigger production deployments.
- The pipeline is effectively blocked until an approved user "approves" the job by running it.
- A clear audit trail is maintained regarding who triggered the deployment and when.
Comparative Analysis of Manual Triggering Strategies
The choice between different manual triggering methods depends on the desired outcome and the required level of control.
| Feature | when: manual |
workflow: rules (Web) |
External API/Forms |
|---|---|---|---|
| Primary Use Case | Manual gates within a pipeline | Triggering a whole pipeline from UI | Complex parameterization |
| Execution | Starts a specific job | Starts the entire pipeline | Starts pipeline via API call |
| Blocking | Can block pipeline if allow_failure is false |
Does not block other pipelines | Independent of other pipelines |
| Parameter Input | Basic variable override | Pipeline-level variables | Full custom form integration |
| Access Control | Environment-based protection | Project role-based | API token-based |
Analysis of Workarounds and External Integration
For organizations that find GitLab's native manual parameterization insufficient, there are several strategies to achieve higher levels of control.
The GitLab API and Custom Forms
Because the native UI for manual variables can be cumbersome, some teams implement a custom frontend form. This form collects the required parameters from the user and then sends a POST request to the GitLab API to trigger the pipeline with the specified variables. This bypasses the limitations of the standard UI and allows for validated, typed inputs.
The Jenkins Alternative
In discussions regarding manual job runners, Jenkins is often cited as a robust alternative due to its "out of the box" manual job runner. Jenkins provides more native flexibility for manual parameterization. However, integrating Jenkins with GitLab introduces operational overhead, as developers must ensure the two separate systems communicate effectively. For most teams, the effort to maintain a separate Jenkins instance outweighs the benefit, leading them to stick with GitLab's evolving CI/CD capabilities.
Conclusion
Manual jobs in GitLab CI/CD represent a critical intersection between automated efficiency and human oversight. By utilizing the when: manual keyword, developers can create safe deployment gates, while allow_failure: true ensures that these gates do not inadvertently halt the entire pipeline. The integration of Protected Environments in Premium and Ultimate tiers provides the necessary security layer to ensure that high-stakes actions are only performed by authorized personnel.
While the system struggles with some nuances—such as the behavior of branch pipelines and the lack of sophisticated native input forms—the ability to override variables during a manual retry provides a flexible path for PoC testing and targeted server updates. The strategic use of rules, environment definitions, and manual_confirmation allows an organization to scale its CI/CD processes from simple automated tests to complex, governed release cycles across multiple environments.