In GitLab CI, any user is able to use any container registry image of any project.
However, according to Permissions and roles | GitLab, the action “Pull container images from private projects” can be performed by developers, maintainers and administrators “if the triggering user is a member of the project.”
Given that:
- Project A is private
- I am not a member of project A
- I pull project A’s image in the CI pipeline of project B
… I would expect an error. However, the CI pipeline of project B successfully uses the image of project A. I tried placing projects A and B in different groups, which does not help.
Am I misinterpreting the documentation?