GitLab.com: can I allow users outside a project to run pipelines on MRs using non-shared runners

We have an open-source project hosted on gitlab.com. We have CI set up and running on a mix of shared runners and private runners that are registered as group runners.

Right now, people who are not members of the project can submit merge requests and CI will run, but will only use the shared runners. This works OK, but our project is a large C++ application and running the pipeline takes a long time, so we would like to move off the shared runners in the future (pipeline runtime is dramatically faster on even a moderately-fast dedicated machine).

Is there any way to allow any user of gitlab.com (not just users who are granted some level of access to the project) to access group runners on a project when a merge request is created? I searched around but could not find any reference to this. If not, does anyone know if there is an existing GitLab feature request that is relevant?

We’d be fine with a solution that requires some kind of approval on a per-user basis, i.e. we could review first-time contributors and click a button that allows the pipeline to run (ideally this would be saved so that the user could then create additional MRs without requiring additional approval). We just don’t want to have to grant all these users a higher level of privilege on the project (we want them to in general maintain Guest access, except to be able to have private runners run their MR pipelines).

Thanks in advance for any advice!

I believe you can without much fuss (depends on params in the .gitlab-ci.yml), but I would recommend using a separate runner (even if on the same host, but separate hosts would be better), and I’d tighten down what that “untrusted” runner could do. In essence, if I can send in a MR that runs my code on your server, you either need to trust me, or trust that the system won’t let me do things I shouldn’t be able to.

Understood on the security part; is there any way (or maybe plans for the future that anyone knows about) for some kind of security model in-between “let any random person run code on my CI” and “add specific usernames as collaborators to the project”?

Ideally I want to take a glance at someone’s code, and then hit a button to enable CI for the MR. Maybe with a “trust this person” checkbox that stores the fact that they are allowed to run CI on our private runners.

That sounds like a great use case for the GL team to consider. I would open a feature request with that simple description of your use case.