Explain access right in .gitlab-ci.yml file includes

Problem to solve

Explain what access rights are necessary to use a file include in .gitlab-ci.yml.

When a template is included in a project, using include:file, then the person using this template needs access to the template project.

  • When starting a Pipeline - otherwise a »yaml invalid« and »error« tag is shown and the pipeline won't start for this user
  • When using the Pipeline Editor - otherwise an error »This GitLab CI configuration is invalid: Project xx-example-project-xx not found or access denied!.« is shown and the tabs »Visualize«, »Lint« and »View merged YAML« dont show a result

Example: Same Pipeline started by a developer with access to the template project, and by a developer without access to the template project.

Bildschirmfoto_von_2021-03-02_11-02-03

Further details

Access rights are explained for includes via remote method:

https://docs.gitlab.com/ee/ci/yaml/README.html#include

remote Include a file from a remote URL. Must be publicly accessible.

https://docs.gitlab.com/ee/ci/yaml/README.html#includeremote

The remote file must be publicly accessible by an HTTP/HTTPS GET request, because authentication in the remote URL is not supported.

Proposal

Add a statement, that the for each included project file access to the project is required.

This means the project containing the template needs to have the visibility »public« or »internal«. If the project is »private«, then the person using the Pipeline Editor or starting a Pipeline needs to have a at least the »Reporter« role assigned in the template project (»Guest« is not sufficient).

Other links/references

https://docs.gitlab.com/ee/ci/yaml/README.html#includefile

Edited by Kyle Wiebers