Pipeline permissions should be separate from push/merge
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
Users who do not have push or merge permissions on a branch do not have the ability to run a pipeline. This may be necessary in cases where the pipelines are triggered by other pipelines upstream, or simply need to be re-run post-merge.
Steps to reproduce
- Create a project and protect a branch.
- Attempt to run a pipeline as a user who does not have merge or push permissions to the branch.
Proposal(s)
Add a permission to protected branches to run pipelines but not push
Currently, protecting a branch also means disabling the ability to run pipelines. There are many reasons for why someone who does not have direct push permissions may need to re-run a pipeline. The permission level for pipeline execution on protected branches should be a separate option.
Challenges to consider
- Users that don't have ability to push to
master(or any protected branches) cannot run a pipeline today. This is primarily due to the fact that running a pipeline on protected branch would expose protected variables.- However, a namespace owner does have permissions to see protected CI/CD variables in a project but can't push to
masterdue to protection rules. See gitlab-runner!5409 (comment 2391149458).
- However, a namespace owner does have permissions to see protected CI/CD variables in a project but can't push to
Edited by 🤖 GitLab Bot 🤖