Do not create pipeline when the push is authorised for CI JOB token
What does this MR do and why?
This MR prevents CI pipelines from being created when commits are pushed using CI JOB TOKEN authentication. This addresses potential infinite pipeline loops and security concerns where CI jobs could trigger additional pipelines. Changes Made
Core Implementation
Authentication Context Propagation: Added authentication_context parameter throughout the git push flow to track authentication method and build ID
Gitaly Context Handling: Implemented gitaly_context parameter passing from Workhorse → Rails to identify CI job-initiated pushes
Pipeline Prevention: Added validation in Gitlab::Ci::Pipeline::Chain::Validate::Abilities to block pipeline creation when glBuildId is present
Fixes #475705 (closed)
How to set up and validate locally
-
In rails console enable the feature flag
Feature.enable(:allow_push_repository_for_job_token) -
Select a project and goto Setting -> CI/CD settings -> Job token permissions
-
Check
Allow Git push requests to the repositoryoption -
Add following .gitlab-ci.yml
stages:
- update
update-readme:
stage: update
image: alpine:latest
before_script:
- apk add --no-cache git
- git config --global user.email "ci@example.com"
- git config --global user.name "GitLab CI"
- git remote set-url origin "https://gitlab-ci-token:${CI_JOB_TOKEN}@gdk.test:3000/${CI_PROJECT_PATH}.git"
script: |
[ "$EXIT_LOOP_NOW" = "1" ] && exit 1 || true
echo -e "\n## Update $(date)" >> README.md
git add README.md
git commit -m "Update README.md with date"
git config --global http.sslVerify false
git push origin HEAD:$CI_COMMIT_REF_NAME -v- Make sure that the commits from CI doen't create subsequent pipelines
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.