Extend tag protection to deploy keys
Usecase/Context
I'm managing a growing team and need to enhance our workflows for security of the codebase during our growth. We are producing a npm package released on the npm registry.
The proper way to do automate CI/CD is to build a "publish" pipeline (which ultimately call npm publish
) triggered by a version tag (let's say v1.0.0). In order to produce that tag, a developer needs to execute npm version 1.0.0 && git push --tags
and everything should be fine.
The problem being that command is that it implies leaving the target branch unprotected for them to push on it ; which is a problem for the stability of our codebase in the mid/long term.
My goal is to keep that protection as much as possible and limit the action of pushing to a unique set of deploy keys which i can control. In the end the process for creating a release should be that developers need to go to the web-ui of gitlab to create tags which would trigger the publishing job (but it's a chicken and egg problem since npm version
is the one to create the version tag).
Ultimately, I succeeded in the making by creating a workflow which:
- From gitlab-ui, a developer creates a 1.0.0 tag
- The creation of the 1.0.0 (without v) tag will trigger a pipeline
- The pipeline uses node:alpine, in which it installs git + openssh and the private deploy key
- It clones the repo (once more, i know...)
- Finds the branch where the tag lives and checks it out.
- Delete the 1.0.0 tag locally and remotely
- Calls
npm version
with the same tag (with v, this time) - Calls
npm publish
on npm - Pushes back the new version commit+tag in the repo.
It's though, but it works. It succeeds in:
- Keeping the protection lock on the main branch from pushes of "anyone excepts the deploy key set"
- Increasing the package version on the git repo + deploy to npm registry in one atomic action (as opposed to git push + pipeline being separated steps)
Now what I'm missing is to protect those version tags from update/delete. I know that i can use Protected tags, but those do not allow to specify a deploy key as unique creator of those tags.
Proposal
Allow Protected tags to be strictly created by deploy keys.
Unrelated discovered bugs
On a side note, since my job is triggered by a tag, and pushes back a tag, i wanted to do the following rule, but it ended up not working:
only:
refs:
- tags
variables:
# checks if the tag is vX.Y.Z
- $CI_COMMIT_TAG =~ /(?i)^v[0-9]+\.[0-9]+\.[0-9]+(-rc.[0-9]+)?$/
# checks that the commit message is *not* X.Y.Z (to avoid running the pipeline a 2nd time after step 9.)
- $CI_COMMIT_MESSAGE != $CI !~ /(?i)^v[0-9]+\.[0-9]+\.[0-9]+(-rc.[0-9]+)?$/