Skip to content

PoC: A checksum file for CI components

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary - Why is this PoC needed?

Feature issue: #461075

A checksum file for the CI component tree used by a project in its CI config could give us many benefits, including improved security, performance, and possible features like a visualized dependency tree.

However, it is a complex feature and we need to figure out how to implement in a way that is effective and simple for users.

What does this PoC involve

The PoC is completed when we have consensus on how to develop the following items:

  1. How will the checksum file be created?
    1. Option 1: When running a pipeline that uses include:component in a project that has checksums enabled and no checksum file, use the dependency tree of components gathered during the execution of the include to build a checksum file and save it in the project's repository
    2. Option 2: When a project has checksums enabled and no checksum file, fail pipelines until a checksum file is present. Provide a way to generate a checksum file using the dependency tree of components gathered during the execution of include:component and make an MR with the file
    3. What should we name the file? Possibilities: ci_checksum.lock, .gitlab_ci.lock, ...?
    4. Where will the file live? Proposal: In the repository root
  2. What will the structure of the checksum file be?
    1. Proposal: Use the sha of each CI component to identify it in the checksum file. We may need to store the version also to know when users want to update the checksum file
    2. Proposal: Use the structure of a Gemfile.lock for inspiration
  3. How will the checksum file be updated?
    1. Option 1: Automatically whenever a pipeline is run and a component version is used that doesn't match a version in the checksum file
    2. Option 2: Fail pipelines until the checksum file is updated using a feature we provide that makes an MR with the changes
  4. Demonstrate that components are fetched using the sha in a checksum file instead of the version in the .gitlab-ci.yml

Timebox Expectations

A few weeks for development. A few weeks for discussion and iteration.

Expected Outcomes

Edited by 🤖 GitLab Bot 🤖