Fine-grained controls for loading Secure Files in CI jobs
Now that the Secure Files API has shipped, the next area to focus on will be CI configuration / Runner integration. Below is a proposed keyword addition to the .gitlab-ci.yml
file to support the capabilities outline below:
Capabilities
The basic capabilities needed would be:
- The ability to curate which jobs in a pipeline should load Secure Files
- The ability to automatically download all Secure Files for a project into the runner when the job starts
- The ability to limit the set of Secure Files to be loaded into a runner for a given job
- The ability to create a file in the Runner with specific file permissions (read_only, read_write, execute)
Proposal
The proposed change is to add a new keyword to job
called secure_files
. secure_files
would have to options location
, and files
.
-
location
is the location in the runner file system where the Secure File will be downloaded. It will default to~/.secure_files
if not defined. -
files
can either be*
meaning all files, or an array of individual file names- The
files
array can also be broken out to support custom file permissions for each file. In which case, each entry in the array would contain afile
key and apermissions
key. Permissions can beread-only
(default),read-write
, orexecute
.
- The
Examples
Below are a few examples of the proposed addition:
Load all secure files into the job
Downloads all files to the default ~/.secure_files
folder in the runner
job:
script: '...'
secure_files:
files: '*'
Downloads all files to the specified ~/ios
folder in the runner
job:
script: '...'
secure_files:
location: 'ios'
files: '*'
Load specific files in to the job
Downloads the specified files to the ~/ios
folder
job:
script: '...'
secure_files:
location: 'ios'
files:
- 'upload-keystore.jks'
- 'Development_com.gitlab.unfilteredMobile.mobileprovision'
Load specified files & set permissions, permissions defaults to read-only
Downloads the specified files to the ~/android
folder, setting the execute permission for the upload-keystore.jks file.
job:
script: '...'
secure_files:
location: 'ios'
files:
- file: 'upload-keystore.jks'
permissions: 'execute'
path: 'android'
- file: 'Development_com.gitlab.unfilteredMobile.mobileprovision'
I would appreciate any feedback folks have on this proposal, or if there are any other considerations that I've not included in this proposal, thanks!