Pipelines visible to non-project members when permissions set to "Only Project Members"

Summary

I'm trying to set a project up so it has an open issue tracker, but everything else is private.

It looks from the permissions that this should be entirely possible, and I set it up accordingly.

However, when viewing the project as an unauthenticated visitor, in a separate browser, I can view the pipelines for the project still.

Steps to reproduce

Create a project, set it to public, set repository permissions as shown below.

Visit the project as an unauthenticated user, and click on the CI/CD menu

Example Project

https://gitlab.com/saveleam/website

What is the current bug behavior?

Pipelines are visible to non-project users

What is the expected correct behaviour?

pipelines would not be visible to non-project users

Relevant logs and/or screenshots

Permissions:

Screen_Shot_2018-02-27_at_09.36.15

Pipelines visible to unauthenticated visitor:

Screen_Shot_2018-02-27_at_09.49.28

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A

Results of GitLab application Check

N/A

Possible fixes