Skip to content

Extend tag protection to deploy keys

Usecase/Context

I'm managing a growing team and need to enhance our workflows for security of the codebase during our growth. We are producing a npm package released on the npm registry.

The proper way to do automate CI/CD is to build a "publish" pipeline (which ultimately call npm publish) triggered by a version tag (let's say v1.0.0). In order to produce that tag, a developer needs to execute npm version 1.0.0 && git push --tags and everything should be fine.

The problem being that command is that it implies leaving the target branch unprotected for them to push on it ; which is a problem for the stability of our codebase in the mid/long term.

My goal is to keep that protection as much as possible and limit the action of pushing to a unique set of deploy keys which i can control. In the end the process for creating a release should be that developers need to go to the web-ui of gitlab to create tags which would trigger the publishing job (but it's a chicken and egg problem since npm version is the one to create the version tag).

Ultimately, I succeeded in the making by creating a workflow which:

  1. From gitlab-ui, a developer creates a 1.0.0 tag
  2. The creation of the 1.0.0 (without v) tag will trigger a pipeline
  3. The pipeline uses node:alpine, in which it installs git + openssh and the private deploy key
  4. It clones the repo (once more, i know...)
  5. Finds the branch where the tag lives and checks it out.
  6. Delete the 1.0.0 tag locally and remotely
  7. Calls npm version with the same tag (with v, this time)
  8. Calls npm publish on npm
  9. Pushes back the new version commit+tag in the repo.

It's though, but it works. It succeeds in:

  • Keeping the protection lock on the main branch from pushes of "anyone excepts the deploy key set"
  • Increasing the package version on the git repo + deploy to npm registry in one atomic action (as opposed to git push + pipeline being separated steps)

Now what I'm missing is to protect those version tags from update/delete. I know that i can use Protected tags, but those do not allow to specify a deploy key as unique creator of those tags.

Proposal

Allow Protected tags to be strictly created by deploy keys.

Unrelated discovered bugs

On a side note, since my job is triggered by a tag, and pushes back a tag, i wanted to do the following rule, but it ended up not working:

only:
  refs:
    - tags
  variables:
    # checks if the tag is vX.Y.Z
    - $CI_COMMIT_TAG =~ /(?i)^v[0-9]+\.[0-9]+\.[0-9]+(-rc.[0-9]+)?$/ 
    # checks that the commit message is *not* X.Y.Z (to avoid running the pipeline a 2nd time after step 9.)
    - $CI_COMMIT_MESSAGE != $CI !~ /(?i)^v[0-9]+\.[0-9]+\.[0-9]+(-rc.[0-9]+)?$/
Edited by Julien Barbay