I’m currently developing a pipeline for a GitLab project.
The pipeline has 3 jobs:
In my build job i’m passing a SSH key to docker, so I can run composer install in it.
The SSH key is stored in a GitLab CI/CD file variable and it’s not marked as protected, because the build job also runs on unprotected branches in order to run the test job.
I cannot use deploy tokens, because the deploy job merges changes from main to TEST_BRANCH. From what I’ve seen deploy tokens don’t have write_repository access.
Are there any security risks in this approach?
If there are any risks, please share any ideas to solve this.