Consider making release/tools and deployer pipelines read-only for everyone
Summary
Should/Can we make https://ops.gitlab.net/gitlab-org/release/tools and https://ops.gitlab.net/gitlab-com/gl-infra/deployer pipelines visible (read-only) to everyone that has an account on ops.gitlab.net (which should be most developers I think)? This would improve visibility of our deployment pipelines for developers.
Steps to make pipelines visible to everyone with an account on ops.gitlab.net
-
Change project visibility to
Internal
.https://ops.gitlab.net/gitlab-com/gl-infra/deployer already has this setting set to
Internal
.https://ops.gitlab.net/gitlab-org/release/tools/edit -> Expand
Visibility, project features, permissions
section. -
Set
Repository
project feature visibility toEveryone with access
.https://ops.gitlab.net/gitlab-com/gl-infra/deployer already has this setting set to
Everyone With Access
.https://ops.gitlab.net/gitlab-org/release/tools/edit -> Expand
Visibility, project features, permissions
section. -
Set
CI/CD
project feature visibility toEveryone with access
.https://ops.gitlab.net/gitlab-com/gl-infra/deployer already has this setting set to
Everyone With Access
.https://ops.gitlab.net/gitlab-org/release/tools/edit -> Expand
Visibility, project features, permissions
section. -
Enable Public pipelines
This is already enabled for https://ops.gitlab.net/gitlab-org/release/tools. But not enabled for https://ops.gitlab.net/gitlab-com/gl-infra/deployer.
https://ops.gitlab.net/gitlab-com/gl-infra/deployer/-/settings/ci_cd -> Expand
General pipelines
section.
Benefits
release/tools
and deployer
projects contain most of the pipelines involved in deploying to gitlab.com.
- This will make it easier for other engineers to help debug failures in these pipelines.
- This will help the grouprelease team have better visibility into our deployment process while they are trying to build deployment related features.
- This will improve general visibility into gitlab.com deployment for engineers, which is currently a black box for most engineers.
Example projects
Example projects on ops where pipelines are read-only to everyone with an account on ops: https://ops.gitlab.net/rpereira2/release-tools-fake/ and https://ops.gitlab.net/rpereira2/deployer-fake/.
Example pipeline: https://ops.gitlab.net/rpereira2/release-tools-fake/-/pipelines/1018088.
Note that those who have admin/superuser access on ops will always have write access to the projects.
Steps needed to be done before we can make the pipelines visible
-
Make sure all CI/CD variables containing tokens are masked in job logs.