Provide Build-Artifacts per dedicated Read-Only Access

Description

While setting up our continuous deployment process with GitLab i stumbled over the following Problem. How to securely deploy the build-artifacts from the GitLab-instance to the application servers?

Since we're seeking for a way to access our build-artifacts per infrastructure-automation, we're interested in a read-only access of the artifacts. Currently this is not possible for two reasons: The Deploy-Keys grant a secure read-only access to the Git-repository via SSH, unfortunately these do not provide the build-artifacts. In opposite the Access-Tokens grant access to the API, which does provide the build-artifacts. Unfortunately these Access-Tokens contain all rights of their owner.

We consider this being an insecure way to access the artifacts, since a leakage of the access-token grants the attacker full access to our GitLab-instance which is something we would like to avoid.

The current workaround seems to be creating a "technical" guest user with limited rights, giving her read-only access to the given repositories.

Proposal

We would like to propose either

• that there is some functionality introduced to limit the access-rights of Access-Tokens - preferable to specific repositories,
• that access to the build-artifacts may be granted using the deploy key for the given repository or
• a third (beside main and the wiki) git-repository f.e. project.artifacts.git is introduced which may contain the versioned history of artifacts.

Links / references

/cc @nick.thomas - referencing to the support request 48262