14

Right now, anyone that creates a branch in my project and adds a .gitlab-ci.yml file to it, can execute commands on my server using the runner. How can I make it so that only masters or owners can upload CI config files and make changes to them?

I'm using https://gitlab.com/gitlab-org/gitlab-ci-multi-runner running on bash.

CausingUnderflowsEverywhere
  • 1,908
  • 13
  • 33
  • 1
    This strikes me as a very reasonable feature request. Especially since gitlab-ci now supports deployments. Have you considered raising it [here](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/issues/)? – Matthew Sep 07 '16 at 16:11

2 Answers2

5

The GitLab runner wasn't really designed for this scenario and thus you are unable to do this. What you could do instead is have a new project with just your .gitlab-ci.yml file and configure it so that it pulls the original repository. From there you can do all the other things you want to do with your repository.

Fairy
  • 3,592
  • 2
  • 27
  • 36
  • Sorry I dont understand how this works. Can you explain ( push to project A = CI that does what ) Like what is the new project with just my ci file doing? – CausingUnderflowsEverywhere Aug 31 '16 at 16:22
  • 2
    @CausingUnderflowsEverywhere You have 2 repos. Repo A is your original repo with no runners enabled and no CI file. Repo B is your "Runner repo" where you have just the CI file. In that file you `git pull` Repo A and do all the other things you wanted to do. This way you are able to lock away the CI File and still have all the rights. There is no other way to really do this. – Fairy Sep 01 '16 at 05:55
  • Hmm that requires a manual push on my side each time I want to run a CI, it's not automated at all, so it's otherwise worthless. Thanks for the tip though. If I was working alone, it'd be quite a possibility, but the fact is and as I stated in the question, I'm working with other people. It is simply not feasible for me to watch if someone pushed something to repo A for me to push to repo B to activate the CI which will not show up on merge requests in repo A. I could use webhooks and such but then I wouldn't even use your work around, I'd put the CI in some code activated by a webhook. – CausingUnderflowsEverywhere Sep 03 '16 at 18:18
  • It's automated on the repo end, for sure; it just doesn't magically respond to local commits. That's not okay? Pushing is 'so cvs' but it's a reliable trigger and gatekeeper for what will far more often become expensive test rigs. – user2066657 Dec 23 '19 at 21:42
1

Gitlab now supports moving your .gitlab-ci.yml file to another location outside of your repo. Only people with admin repo access can change this setting, making it ideal to have read-only pipelines for most users of your repo.

KMZ
  • 463
  • 3
  • 12