Allow group owners to define and lock a custom CI config path
Problem to solve
A recurring complaint from customers is the lack of control, primarily for compliance reasons, at the group-level within GitLab to prevent certain behaviors or actions within the projects that group controls. One of the most prominent pain points around this is the concept of separation of duties and specifically within pipelines.
Currently, customers can define a custom CI path at the instance or project level, but not at the group-level. This means GitLab.com customers must manage individual projects, which can number in the hundreds of thousands, and create custom tooling to enforce specific pipeline stages or jobs to meet their compliance requirements.
Intended users
User experience goal
A group owner should be able to define the default custom CI configuration path at the group-level and have that apply to newly created projects.
Proposal
Bring the Default CI configuration path setting from the instance-level to the group-level.
Further details
In (likely) future iterations we will likely need additional features to make this a more comprehensive option for organizations:
- An ability to refine the scope to specific subgroups and/or projects
- Recursively apply this custom CI config path to existing subgroups and/or projects
- Make this field un-editable by anyone except the root group owner(s)
These would likely be separate issues to strengthen this feature.