Safer GitLab CI package instructions
Problem to solve
- Python package documentation: https://docs.gitlab.com/ee/user/packages/pypi_repository/index.html#using-gitlab-ci-with-pypi-packages
The GitLab CI snippet is partial and in particular should probably note that the CI_JOB_TOKEN is based on the user, not the branch, so new packages will be uploaded and existing ones overwritten before a branch is merged.
Proposal
- The example could include a complete job definition using
onlyto restrict uploads to a particular branch
As a larger product discussion goes, it feels like there would be room for some restrictions on the CI token, such as not allowing package registry writes from unprotected branches. Since the token doesn't have more permissions than the user pushing the code it's not a security hole but it seems like a rake in the grass awaiting an unsuspecting maintainer, especially since versions are not immutable.
Activity
mentioned in issue gitlab-org/quality/triage-reports#508 (closed)
mentioned in issue gitlab-org/quality/triage-reports#510 (closed)
mentioned in issue gitlab-org/quality/triage-reports#513 (closed)
added devopsverify documentation grouppipeline security labels
added sectionops label
mentioned in issue gitlab-org/quality/triage-reports#532 (closed)
@grantyoung - I think this belongs over with ~"group::package" or I'm missing why this was assigned to grouptesting. Happy to help if we can but think @trizzi and group may have the right expertise here.
Ah ok thanks @jheimbuck_gl, sound right to me will reassign. Apologies for the confusion!
added grouppackage registry label and removed grouppipeline security label
mentioned in issue gitlab-org/quality/triage-reports#607 (closed)
changed milestone to %Backlog
removed sectionops label
removed devopsverify label
added Category:Package Registry PyPI Repository labels
added [deprecated] Accepting merge requests label
@acdha Would you be interested in contributing this change to the docs? You would have to edit this file and submit an MR. https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/packages/pypi_repository/index.md.
Setting label(s) devopspackage sectionops based on ~"group::package".
added devopspackage sectionops labels
changed milestone to %Awaiting further demand
added typemaintenance label
