Snippets Groups Projects

CI/CD Pipeline Security

Who can trigger the pipeline?
Who can change the gitlab-ci.yaml?

--> Every person with (write-)access to the repository. That's not good.

Solution

Manage .gitlab-ci.yaml in separate repository
Give only trusted people access to this repository
Use this protected .gitlab-ci.yaml in hpc-compendium project via "Custom CI configuration path"

By implementing #14376 (closed), we make it so that the .gitlab-ci.yml can be pointed to in a different repo. In this way, the configuration can reference a file in another project with a completely different set of permissions. The file should be publicly accessible, but can be editable only by users in the other project. (https://gitlab.com/gitlab-org/gitlab/-/issues/15632)

Other reference: https://docs.gitlab.com/ee/ci/environments/deployment_safety.html#protect-gitlab-ciyml-from-change

Edited 3 years ago

Designs

Child items ...

Activity

Martin Schroschk @mflehmig--tu-dresden.de · 3 years ago

Author Owner

https://gitlab.hrz.tu-chemnitz.de/help/ci/pipelines/settings#visibility-of-pipelines
Martin Schroschk changed the description 3 years ago

changed the description
Danny Marc Rotscher changed milestone to %Umstellung 3 years ago

changed milestone to %Umstellung
Martin Schroschk changed the description 3 years ago

changed the description
Martin Schroschk @mflehmig--tu-dresden.de · 3 years ago

Author Owner

Separation of gitlab-ci.yaml from hpc-compendium is done.
Martin Schroschk closed 3 years ago

closed

Please register or sign in to reply

Nutzungsbedingungen | Datenschutzerklärung | Barrierefreiheitserklärung