Fine-grained controls for loading Secure Files in CI jobs

Now that the Secure Files API has shipped, the next area to focus on will be CI configuration / Runner integration. Below is a proposed keyword addition to the .gitlab-ci.yml file to support the capabilities outline below:

Capabilities

The basic capabilities needed would be:

  1. The ability to curate which jobs in a pipeline should load Secure Files
  2. The ability to automatically download all Secure Files for a project into the runner when the job starts
  3. The ability to limit the set of Secure Files to be loaded into a runner for a given job
  4. The ability to create a file in the Runner with specific file permissions (read_only, read_write, execute)

Proposal

The proposed change is to add a new keyword to job called secure_files. secure_files would have to options location, and files.

  • location is the location in the runner file system where the Secure File will be downloaded. It will default to ~/.secure_files if not defined.
  • files can either be * meaning all files, or an array of individual file names
    • The files array can also be broken out to support custom file permissions for each file. In which case, each entry in the array would contain a file key and a permissions key. Permissions can be read-only (default), read-write, or execute.

Examples

Below are a few examples of the proposed addition:

Load all secure files into the job

Downloads all files to the default ~/.secure_files folder in the runner

job:
  script: '...'
  secure_files: 
    files: '*'

Downloads all files to the specified ~/ios folder in the runner

job:
  script: '...'
  secure_files:
    location: 'ios' 
    files: '*'

Load specific files in to the job

Downloads the specified files to the ~/ios folder

job:
  script: '...'
  secure_files: 
    location: 'ios'
    files: 
      - 'upload-keystore.jks'
      - 'Development_com.gitlab.unfilteredMobile.mobileprovision'

Load specified files & set permissions, permissions defaults to read-only

Downloads the specified files to the ~/android folder, setting the execute permission for the upload-keystore.jks file.

job:
  script: '...'
  secure_files:
    location: 'ios'
    files: 
      - file: 'upload-keystore.jks'
        permissions: 'execute'
        path: 'android'
      - file: 'Development_com.gitlab.unfilteredMobile.mobileprovision'

I would appreciate any feedback folks have on this proposal, or if there are any other considerations that I've not included in this proposal, thanks!

Edited by Darby Frey