Do not allow ci to Authorize with no actor (!97828) · Merge requests · GitLab.org / GitLab

Allison Browne requested to merge remove-userless-ci into master Sep 13, 2022

What does this MR do and why?

In the past we allowed ci to authorize without an actor.

This is no longer allowed but we left it around for backward compatibility. https://gitlab.com/gitlab-org/gitlab/-/blob/0df104f0c72ef838c5d2f5c04de4763cb3a73a79/lib/gitlab/auth.rb#L317

We have been logging for a few months if this code is ever hit and haven't seen any hits. !92935 (merged)

Now we can take the next step and explicitly ban this operation.

See the Issue for additional context around 'why': https://gitlab.com/gitlab-org/gitlab/-/issues/363711

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 16, 2022 by Allison Browne

Do not allow ci to Authorize with no actor

What does this MR do and why?

MR acceptance checklist

Merge request reports