Cleaning up After Runs in Shell Runner?
I feel like this would be a question that has been asked a lot, but I can not seem to find a search phrase that talks about it…
Gitlab: 15.5.9-ee self-managed
Runner: 15.7.1
I have a shell runner that is shared by multiple projects, in this case by students doing CI as they build their assignments.
Builds are done in {builds_dir}/$RUNNER_TOKEN_KEY/$CONCURRENT_ID/$NAMESPACE/$PROJECT_NAME
and are not removed after the CI pipeline finishes.
I discovered the implication that I periodically had to clean up a bit in the builds directory when the disk filled up. However, I recently discovered a more problematic aspect - that since the path for a particular project is predictable, a CI job can do a “cp …/…/…/…/someotherproject/stuffinotherproject.code .” I feel like this is such an obvious problem for keeping people from snooping on each others’ Private projects that either I missed a config variable, or a design principle or something.
Is the answer “If you do not like this behaviour stop using a shell executor.” ? (We are using the shell executor so that the students can have the CI jobs run in the same environment they are using on the command line. We might need to reconsider this decision.)
On one hand, a gitlab instance, and its associated runners usually all belong to the same team so it is not really a big deal to have snooping, but on the other, this sort of makes a rather messy situation if you are hoping to test in a clean environment without the possibility of having overlooked dependencies on having things hanging around that might have been removed from the repository by another developer when you need them or such.
Since the question template suggests including a .gitlab-ci.yml here is a concrete example:
stages: # List of stages for jobs, and their order of execution
- build
- test
- deploy
build-job: # This job runs in the build stage, which runs first.
stage: build
tags:
- ugrad
script:
- echo "Compiling the code..."
- gcc -o myexec ../../courses/2023-winter/csci-9000/lab5/someoneelse/array_list/array_list.c myassignment.c
- echo "Compile complete."
unit-test-job: # This job runs in the test stage.
stage: test # It only starts when the job in the build stage completes successfully.
script:
- ./myexec > output
- if cmp output expected-output ; then echo "Pass"; else echo "Fail"; fi
So, am I missing something, or is the answer “Yep, that is how it works.”?
Thanks to anyone who can comment. (Again, I am sorry if it is dumb question that has already been asked.)