How to prevent yml file be modified

Hi all,

I have a problem about authority management.
there’s my situation:
a project has some submodules
the submodules are libraries and some member can’t access it.

but if anyone push code to gitlab and the CI/CD is triggered.
the CI/CD yml file can script jobs to copy submodule souce code and send it to gitlab.
finally, the source code can be downloaded.

all member can modify yml file to do anything they want.
this makes the authority setting fails. I can’t protect the libraries source code.

does any method to prevent this?

Without more context, it sounds like if source protection is what you truly need then using binaries for library dependencies may be safer. I say this because if you are allowing users to push sources, then you’re also likely allowing the same users to modify build scripts where any arbitrary command can be executed. Even if you prevent modifications to the CI descriptor files, a user can still inject whatever they want into the scripts the CI invokes (such as inside a pom.xml, Makefile, etc.).

In any case, if the immediate goal is to not expose a .gitlab-ci.yml for users of the project to edit and use in their merge requests or branch commit builds, then you can elect to host it in a different project or even at an arbitrary remote HTTP(S) URL and skip keeping it inside your wider-visibility repository.

1 Like

Thanks for @hchouraria’s reply.

here’s the situation.
the whole project structure on gitlab is ( main project + submodules )
and the whole project on server is in the same path.

member can push main project code but no permission to access submodules(libraries). this means they can’t push code to submodule, either.

the yml file(located in main project) will copy the built .a file to gitlab for member download and use after CI/CD process done.

and here’s problem: by modifying yml on any branch, the member can copy not only .a file but also whole submodule source code.
(because they can push their own branch and execute CI/CD)

I think @hchouraria provide a good idea to isolated submodules to be a independent project. maybe this is more safer.

my another idea is to use gitlab file lock function to lock yml file.
but it need premium/silver. it’s too expensive to me. haha.