Limit who can call a child pipeline

Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

Describe your question in as much detail as possible:

I would like to have a pipeline that performs priviliged operations with secrets on behalf of users. To do that, I want to have a child pipeline that will only run its pipeline on a protected branch, and only be triggered from trusted sources.

I can make my child pipeline run only on main, and make sure that the repository has rules set up to limit who can modify the pipeline.

I can trigger this pipeline from some parent repository. But what I want to do is make sure the parent pipeline is from a specific repository, on a protected branch. Is it possible to do this?

• What are you seeing, and how does that differ from what you expect to see?

I’m not seeing anything, nor do I expect to see anything in specific

• Consider including screenshots, error messages, and/or other helpful visuals

Steps to reproduce

Which troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

I’ve looked at Predefined CI/CD variables reference | GitLab to see if there are any pre-defined variables that can give me a guarantee of what the parent projectid and branch is.
I’ve looked at Add new CI variables: PARENT_PIPELINE_ID and PIPELINE_START_TIME to CI. (#323569) · Issues · GitLab.org / GitLab · GitLab

Configuration

Add the CI/CD configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml). Alternatively, create a public GitLab.com example project that provides all necessary files to reproduce the question.

Versions

Please select whether options apply, and add the version information.

• Self-managed
• GitLab.com SaaS
• Dedicated
• Self-hosted Runners

Versions

• GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info):
• GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version):

Helpful resources

1. Check the FAQ for helpful documentation, issues/bugs/feature proposals, and troubleshooting tips.
2. Before opening a new topic, make sure to search for keywords in the forum search
3. Check the GitLab and GitLab Runner projects for existing issues. If you encounter a bug, please create a bug report issue.
4. Review existing troubleshooting docs.

Thanks for taking the time to be thorough in your request, it really helps!

Hi,

Are there many different parent pipelines calling this child pipeline or only one?

If it’s only one, I believe it’s sufficient to limit the roles on project level on both pipelines accordingly (one must be a member in both projects and have correct merge permissions, since who can merge to protected branch can also trigger the pipeline).

If you have multiple parent projects (pipelines) that trigger one child pipeline, then you could try passing on some of the relevant CI variables (e.g. the CI_PROJECT_ID, etc) to the child pipeline and evaluating yourself accordingly.

Yes, there are many.

The problem with passing the relevant CI variables, is that I can’t trust in the child that the parent is passing the right thing, or that it might be lying (especially in pipelines from unprotected branches)

I’m prototyping a variation with passing down the job token now, to validate that the job token is coming from the project/branch I expect, and use the limited lifetime of the token to trust it.