Migrate DAST CI template to rules syntax

See https://gitlab.com/gitlab-org/gitlab/-/issues/36546

changelogs/unreleased/e2300-dast-template.yml

+---
+title: Migrate DAST CI template to rules syntax
+merge_request: 30776
+author:
+type: changed

ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'DAST.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST') }
+
+  describe 'the created pipeline' do
+    let(:user) { create(:admin) }
+    let(:default_branch) { 'master' }
+    let(:pipeline_branch) { default_branch }
+    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
+    let(:pipeline) { service.execute!(:push) }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      it 'includes no jobs' do
+        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+      end
+    end
+
+    context 'when project has Ultimate license' do
+      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
+
+      before do
+        allow(License).to receive(:current).and_return(license)
+      end
+
+      context 'by default' do
+        it 'includes job' do
+          expect(build_names).to match_array(%w[dast])
+        end
+      end
+
+      context 'when DAST_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'DAST_DISABLED', value: '1')
+        end
+
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+
+      context 'when DAST_DISABLED_FOR_DEFAULT_BRANCH=1' do
+        before do
+          create(:ci_variable, project: project, key: 'DAST_DISABLED_FOR_DEFAULT_BRANCH', value: '1')
+        end
+
+        context 'when on default branch' do
+          it 'includes no jobs' do
+            expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+          end
+        end
+
+        context 'when on feature branch' do
+          let(:pipeline_branch) { 'patch-1' }
+
+          before do
+            project.repository.create_branch(pipeline_branch)
+          end
+
+          it 'includes job' do
+            expect(build_names).to match_array(%w[dast])
+          end
+        end
+      end
+
+      context 'when REVIEW_DISABLED=true' do
+        before do
+          create(:ci_variable, project: project, key: 'REVIEW_DISABLED', value: 'true')
+        end
+
+        context 'when on default branch' do
+          it 'includes job' do
+            expect(build_names).to match_array(%w[dast])
+          end
+        end
+
+        context 'when on feature branch' do
+          let(:pipeline_branch) { 'patch-1' }
+
+          before do
+            project.repository.create_branch(pipeline_branch)
+          end
+
+          it 'includes no jobs' do
+            expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+          end
+        end
+      end
+    end
+  end
+end

lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml

@@ -18,17 +18,16 @@ dast_environment_deploy:
     on_stop: stop_dast_environment
   artifacts:
     paths: [environment_url.txt]
-  only:
-    refs:
-      - branches
-    variables:
-      - $GITLAB_FEATURES =~ /\bdast\b/
-    kubernetes: active
-  except:
-    variables:
-      - $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME
-      - $DAST_DISABLED || $DAST_DISABLED_FOR_DEFAULT_BRANCH
-      - $DAST_WEBSITE  # we don't need to create a review app if a URL is already given
+  rules:
+    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME
+      when: never
+    - if: $DAST_DISABLED || $DAST_DISABLED_FOR_DEFAULT_BRANCH
+      when: never
+    - if: $DAST_WEBSITE # we don't need to create a review app if a URL is already given
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $CI_KUBERNETES_ACTIVE &&
+          $GITLAB_FEATURES =~ /\bdast\b/
 
 stop_dast_environment:
   extends: .dast-auto-deploy
@@ -42,14 +41,13 @@ stop_dast_environment:
     name: dast-default
     action: stop
   needs: ["dast"]
-  only:
-    refs:
-      - branches
-    variables:
-      - $GITLAB_FEATURES =~ /\bdast\b/
-    kubernetes: active
-  except:
-    variables:
-      - $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME
-      - $DAST_DISABLED || $DAST_DISABLED_FOR_DEFAULT_BRANCH
-      - $DAST_WEBSITE
+  rules:
+    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME
+      when: never
+    - if: $DAST_DISABLED || $DAST_DISABLED_FOR_DEFAULT_BRANCH
+      when: never
+    - if: $DAST_WEBSITE # we don't need to create a review app if a URL is already given
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $CI_KUBERNETES_ACTIVE &&
+          $GITLAB_FEATURES =~ /\bdast\b/

lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml

@@ -27,13 +27,15 @@ dast:
   artifacts:
     reports:
       dast: gl-dast-report.json
-  only:
-    refs:
-      - branches
-    variables:
-      - $GITLAB_FEATURES =~ /\bdast\b/
-  except:
-    variables:
-      - $DAST_DISABLED
-      - $DAST_DISABLED_FOR_DEFAULT_BRANCH && $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
-      - $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME && $REVIEW_DISABLED && $DAST_WEBSITE == null && $DAST_API_SPECIFICATION == null
+  rules:
+    - if: $DAST_DISABLED
+      when: never
+    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH &&
+          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+      when: never
+    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
+          $REVIEW_DISABLED && $DAST_WEBSITE == null &&
+          $DAST_API_SPECIFICATION == null
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bdast\b/