Protect gitlab-ci.yml from changing by developers
.gitlab-ci.yml may contain rules to deploy application to production server and (ususally) runs automaticaly after push. It's not always wanted that any developer could change this.
What's needed to lock down the
.gitlab-ci.yml can already be done with code owners, by using the "Require code owner approval" toggle available in gitlab-ce~2278657.
As long as the
CODEOWNERS file itself is locked down with a code owner and the
Require code owner approval is checked then this is can already be accomplished. Using this feature, different CI templates could even have different owners, allowing for more flexibility.
The one caveat is that
CODEOWNERS is not sufficient as-is today to solve this problem because users can still push changes to
.gitlab-ci.yml and have pipelines for merge request to run with the changed
.gitlab-ci.yml. What is needed is to block changes from reaching the remote branch or at least to drop a pipeline immediately if unauthorized changes are made to a
.gitlab-ci.yml. This is what this issue will change.
This could be expanded on in future iterations. Protecting
included files is an option for a future improvement (you can work around that for now by including files from a protected repo). Generally protecting arbitrary files is also interesting but brings in other UX considerations. For this iteration we are keeping things simple, but if these use cases are valuable to you please open an issue with your ideas.
Some organizations also may not fully trust code owners, and want an additional level of approval. This could also be expanded upon in a future release.