Cross-project triggers with repository permissions, not user
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
I do not think it makes sense that the cross-project triggers are run with the permission of the user who merged the MR.
Currently we have a curl trigger which uses a protected CI variable on the master branch to trigger a cross-project pipeline. I looked into how we could migrate this to cross-project triggers but it does not seem to be possible because now the triggers would be with permissions of who merges the MR. So everyone who merges MRs on project1 would have to have permissions on project2. Before we were able to solve this by having a protected variable.
Proposal
My proposal would be to allow configuring per-project triggers outside of the .gitlab-ci.yml file and then those triggers would have per-project permissions and not user permissions. So then if the person who made the trigger in the project1's admin interface has permission to project2, then triggers would work.
Permissions and Security
User who is defining the trigger should have admin permissions on project1, the same user should have trigger permissions on project2.
Links / references
https://gitlab.com/gitlab-org/gitlab-ee/issues/8997#note_127668613