Feature Request: Ability to configure delete pipeline / erase job trace option at instance level
Problem to be solved
The customer has a compliance requirement to retain all build artifacts, and job execution logs from GitLab pipelines for a certain number of years. While they can use expires_in
to set that up, all of that get deleted when a pipeline is deleted so they need to be able to disable pipeline deletion. At present they don't have any mitigation in place for this.
Additional Details
Presently, the feature to delete the pipeline
, erase job trace
is enabled by default and it's not possible to configure(toggle off/on) those features at the instance/group level.
As per the docs on GitLab CI/CD permissions:
The ability to erase the job artifacts and logs rely on the role the user has within the project:
- Users with Maintainer and above permissions can erase the job artifacts.
- Users with Developer permissions will be able to delete the job artifacts and logs only if the job was triggered by that specific user.
As of now, the option to delete the job logs
, artifacts
, pipelines
is not configurable. Customers with constrained internal retention policies would like to have an option to disable the delete pipelines
, erase job logs
button.
Docs:
Proposal
- Create a feature flag a self managed user can use to turn off this ability at the instance level.
- Create documentation for this feature flag in admin section
Workaround
Configure consolidated object storage and enable versioning: GitLab supports using an object storage service for holding numerous types of data. We can configure the GitLab instance to store the job artifacts and logs in the AWS S3 bucket. If versioning is enabled in the S3 bucket, the job logs will be persistent in the bucket even after deleting the artifacts/logs from the GitLab UI.