Allow cross-project triggers for users without permissions
Release notes
Projects may now list arbitrary other projects which are allowed to trigger pipelines
Problem to solve
If not all of your users have privileged access to both the CI trigger:
source and destination projects they will get CI failures any time they merge on the source project because they don't have permission to trigger the pipeline on the target.
Intended users
User experience goal
The owner(s) of project A can tell GitLab that it is permissable to allow pipelines running on specific branches on project B to trigger pipelines on project A.
Proposal
allow_triggers:
- projects:
- project: foo/bar
branches:
- source_branch: main
target_branch: main
- source_branch: release
target_branch: production
Further details
This would support complex CI/CD scenarios where separate components are in different projects and not all of the user with merge permissions on the source project have the same permissions on the project to be triggered.
Permissions and Security
This would not change the permissions model but would require some care (UI warnings?) about handling protected/masked variables — e.g. it isn't a problem if you're just deploying files but if you're running code care would need to be taken to avoid exfiltrating the environment.
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Similar intention to #12338 which proposes changing this by adding a new permission