Backend: `artifacts:public` support for SaaS customers
Summary
artifacts:public
is only supported for self-managed customers; this feature needs to also be enabled for SaaS customers. However the initial implementation
is not implemented in a way it would be safe to enable it in production, and even if this would work without a major performance degradation it would hinder our progress on various CI/CD initiatives around extending our database capacity.
Using artifacts:public
in .gitlab-ci.yml
and setting it to public: false
should deny access to download artifacts (only job_artifacts_archive
/archive.zip
) to guests and anonymous users of public projects even if pipelines are public. This allows users to specify artifacts that are needed for the pipeline but are not fit for public consumption (for instance, intermediary build artifacts or artifacts containing sensitive information).
Why this matters and how we measure
This falls under Advanced Security and Compliance. Our current roles and permissions allow non-members access to public projects/pipeline artifacts, but there are no settings/controls to limit this access.
Proposal
Performance Considerations
Out of Scope
Acceptance Criteria
Additional details
Some relevant technical details, if applicable, such as:
- Does this need a feature flag?
- Does there need to be an associated instrumentation issue created related to this work?
- Is there an example response showing the data structure that should be returned (new endpoints only)?
- What permissions should be used?
- Which tier(s) is this for?
- Additional comments:
Implementation Table
Group | Issue Link |
---|---|
backend |
|
frontend | Issue Title |
documentation | Issue Title |
Instrumentation | Issue Title |