Allow restricting runners to only be used within pipeline execution policies

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue
• Close this issue

Problem

Currently, there's no way to restrict specific runners to only be used when invoked via a pipeline execution policy. This limits governance capabilities around runner usage, particularly for sensitive operations like artifact publishing or controlled build processes.

Proposal

Enable the ability to designate certain runners as "policy-only" runners that can only be executed through pipeline execution policies. Any attempt to use these runners outside of a policy context would result in a blocked, stuck, or errored pipeline.

Use Cases

1. Controlled Artifact Publishing

• Create runners with credentials for publishing to binary repository managers (e.g., Artifactory)
• These runners would only be accessible via pipeline execution policies
• Application teams attempting to use these runners directly in their .gitlab-ci.yml would be blocked
• Ensures artifacts can only be published through approved, governed processes

2. Technology-Specific Build Components

• Create "build" components as pipeline execution policies targeted to specific technology types (Maven, .NET, Python, etc.)
• Implement conditional logic (e.g., "if branch is named release* and is protected, execute as a release build")
• Restrict these specialized build runners to only work within the policy context
• Prevents misuse of specialized build environments

Benefits

• Enhanced Governance: Additional layer of runner control beyond admin/group/project separation
• Security: Sensitive credentials and build environments can be isolated to policy-controlled contexts
• Compliance: Ensures critical operations follow approved processes
• Flexibility: Allows organizations to enforce standards while maintaining developer productivity

Customer Context

This request comes from a customer (internal link) implementing pipeline execution policies for artifact publishing and CI/CD component rollout. They need stronger governance controls to ensure runners with sensitive access are only used in approved contexts.