Limit CI runner to specific branch or protected branches
Description
If a project uses CI for deploy to a server, it needs access to the target server. Therefore, anyone who can push .gitlab-ci.yml
to the repository has shell access to the production server. It may be hard to avoid detection, but he can do it.
Proposal
Allow runners to be limited to specific branch/tags or at least to protected branches only.
Only master/owner can push to a protected branch, therefore only him can run the runner which has deploy keys.
This will get more useful once per-environment variables are implemented. But even until then, this protection helps to secure privileged runners.
It would be better to require both branch name/wildcard specified and branch being protected, so the accidental/temporary (un)protection of a branch won't cause security issue.
Links / references
- http://stackoverflow.com/questions/39233403/how-to-restrict-runners-to-a-specific-branch-and-lock-the-gitlab-ci-yml-from-ch
- #20367 (closed) Environment-specific variables
- #13569 (moved) Per Runner Variables
- #25521 (closed) Variables available for master only
- … and many more: ~"ci variables"