- What are you seeing, and how does that differ from what you expect to see?
I am not sure it’s possible, but I would like to mark jobs or .templates from includes as “fixed” - meaning they cannot be changed or overridden.
The reason I am trying prevent local .gitlab-ci.yml files from overriding jobs defined in an “include”, is because we’re trying to develop a good terraform pipeline. We currently have a pipeline that runs terraform plan
on a Merge Request. These plans run on regular runners (qa, staging) and protected runners (production).
Allowing these protected runners to run on Merge Requests enables a potential malicious user to include the pipeline or template, override the script, rules, etc and can technically change the terraform plan
to a terraform apply -auto-approve
, which could result in deleting infrastructure.
-
What version are you on? Are you using self-managed or GitLab.com?
- GitLab (Hint:
/help
): -
Runner (Hint:
/admin/runners
):
Self-managed 14.3.3-ee
- GitLab (Hint: