CI/CD: Allow tags on include statements
Release notes
Users can now specify a tag to be applied to all tasks that are run as part of an included YAML CI/CD configuration file.
Problem to solve
In our project, we have some CI tests on public projects that need to be run on runners operating within a privileged network. Naturally, we do not want any incoming MRs to allow running on this internal network. We also have some runners configured on "safe" networks that do not have access to sensitive information. We would like to be able to enforce that MR tasks are only permitted to run on those safe runners (or Gitlab's shared runners).
Intended users
- Cameron (Compliance Manager)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
User experience goal
The user should be able to configure CI/CD Runners such that runners that require a higher level of access cannot be assigned arbitrary tasks in a merge request.
Proposal
We want to be able to specify a .gitlab-ci.yml
file as follows:
include:
- project: 'myorg/ci-tasks'
file: '/global-tasks.yml'
- local: '/.project-ci.yml'
tag: external
We would then configure the push rules to treat .gitlab-ci.yml as a "prohibited file" for pushes and merge requests. Any CI jobs added to .project-cy.yml
would have the tag external
added to them as part of their inclusion. We could then configure the project's group/specific runners such that the "safe" runners would pick up any tasks that include the external
tag.
Further details
Permissions and Security
The proposed approach should not require any changes in permissions.
Documentation
This feature will require updates to the Runners as well as for the include and tags sections of the CI/CD Configuration documents.