Add option to prevent new cache protection behavior that is based on user role
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
There was a recent "security fix" (Add protection suffix to cache depending on role (merge request)) which changed the behavior of deterministically separating gitlab caches based on branch protection. Now if the user who starts a pipeline job is a maintainer they always use the 'protected' cache. https://docs.gitlab.com/ci/caching/#cache-key-names
This change can cause unexpected and undesirable behavior when Gitlab projects are set up expecting that protected caches will only be written to by protected branches. Many premium customers (myself included) have been bit by this change (See discussions in #582071 (comment 2920099874)).
Rather than always making maintainer role use protected cache, it would be good to have a configuration setting in the Gitlab project that can be used to control this behavior or disable it.