I have a private project on gitlab.com and it has lots of “Publicly accessible deploy keys” that I didn’t add. I googled this problem but there is only one reference:
Global Shared Deploy keys allow read-only or read-write (if enabled) access to be configured on any repository in the entire GitLab installation. [emphasis mine]
I have the same question. It’s quite worrying, is our private repo exposed to some public services?
Have you found out more about this? Actually it seems that you have to enable them first. So by default, they are disabled.
This is really horrible/dangerous UX IMO. It’s extremely alarming to browse to the deploy keys section of your private repository and see a bunch of “public deploy keys” already added there. Either the messaging on that page or the documentation should be changed to clarify what’s happening. e.g. can anyone with the associated private key of one of those public keys access our private repo? Seems like the answer is “no, unless you enable the key”, but it’s not immediately clear from the page or the docs.