Gitlab provides a way for having protected branches and protected environment variables, so unauthorized users can not just create a pull request, trigger a job and compromise the deployment environment variables (trivial example, but you get the point)
Is there a similar thing for container registry?
What if I only want CI jobs that are on
master branch to be able to push images to the root image?
I have not tested yet, but is this protected?
because if it is not, it seems like a very nice point of failure from the security point of view.
One could just create a PR that modified the CI definition file, build an image with malicious code and push it to the registry.
I hope I’m incorrect about this, but at the moment I’m rather concerned.
I’d appreciate any input on this.