Pipeline Status Role / Privilege (only)

Description

Permission / Role for updating Build or Pipeline status only. This would be granted to our build-server user. Audit requires that Build cannot modify the code.

Proposal

Add a new privilege and/or role that only permits that user to update Pipeline information.

Links / references

Documentation blurb

Overview

To support separation of concerns, audit requests that the build server not be able to push code (modify code). But we still want Jenkins, for example, to be able to integrate with Pipelines to show status of the builds. Currently, we're forbidden (by policy) from doing so, as there's no Role/Privilege that lets integration happen without the ability to push code.

To use the feature, you would create a user representing the build system, grant the "Update Pipelines" or "Update Build Information" privilege (only), and status information would be pushed as it could be today with Developer privileges.

Use cases

Any development team where code push has to be separated from build functions.

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.