Add "Run Pipeline" as a customizable permission

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem to solve

Users who do not have push or merge permissions on a branch do not have the ability to run a pipeline. This may be applicable for test teams who do not need to contribute code but run pipelines. Also, this may be necessary in cases where the pipelines are triggered by other pipelines upstream, or simply need to be re-run post-merge.

This is also applicable for using CI_JOB_TOKEN between a multi-project pipeline. A challenge for users is they may have a source code project and a deploy project. Organizations do not want to grant Developer+ permissions to the deploy project, and just want to the upstream project to be able to trigger this. If the user has this permission between on both projects, it should run both upstream and downstream pipelines.

Proposed Permission

Add Run pipeline permission for custom roles. If a user is added to a project with this custom role, they can trigger a pipeline at any time regardless of their repository permissions (push/merge).

CI_JOB_TOKEN inherits the user permissions so by default if a user has this permission on the project, a pipeline triggered by a token should run regardless of repository permissions.

Proposal and User Experience

Group Actions Project Actions
N/A

Write Requirements

  • UI: Run a pipeline
  • CI_JOB_TOKEN: Trigger a pipeline

Read Requirements:

  • Pipelines
  • Jobs

Views+Workflows include:

  • Base + Permission

Impacted APIs

Notes

Evidence

Documentation

  • Permission Title: "Run a pipeline"
  • Permission Name: run_cicd_pipeline
  • Permission Description: "Ability to run a pipeline. This allows the ability to start a pipeline regardless of repository permissions."
  • Update prerequisites for feature documentation. Include links to feature pages.
Edited by Joe Randazzo