I am exploring the capabilities of GitLab CI/CD in a private instance and I’m concerned about security with a specific use case: suppose I have a project with a
.gitlab-ci.yml file. Is it right that any project developer can
- add a git submodule for another project using “relative” paths, maybe a project for which such developer doesn’t have permissions
- add a new pipeline job which creates a tar from the submodule path and set it as the artifact
- download the artifact and access the “private” project sources
I tried this and it seems to be feasible. Are there any way to prevent this?