Is it possible to have Gitlab CI jobs that would automatically sign built code with a certificate, but restrict it so it is done only when certain rules are fulfilled?
The goal is to not allow users access to private key and don’t sign unapproved projects.
I was thinking that to sign code, project must be:
-
in group X
-
on project whitelist
-
a tag (not branch)
But almost immediately I thought of bypassing it by either modifying .gitlab-ci.yml (if rules are defined there) or replacing whole project content on branch with another non-whitelisted project and creating a tag.
Are there any tools in GitLab that can help with that problem?