Prevent/Disable overriding "include" jobs or .templates

  • What are you seeing, and how does that differ from what you expect to see?

I am not sure it’s possible, but I would like to mark jobs or .templates from includes as “fixed” - meaning they cannot be changed or overridden.

The reason I am trying prevent local .gitlab-ci.yml files from overriding jobs defined in an “include”, is because we’re trying to develop a good terraform pipeline. We currently have a pipeline that runs terraform plan on a Merge Request. These plans run on regular runners (qa, staging) and protected runners (production).

Allowing these protected runners to run on Merge Requests enables a potential malicious user to include the pipeline or template, override the script, rules, etc and can technically change the terraform plan to a terraform apply -auto-approve, which could result in deleting infrastructure.

  • What version are you on? Are you using self-managed or GitLab.com?
    • GitLab (Hint: /help):
    • Runner (Hint: /admin/runners):
      Self-managed 14.3.3-ee

Hi @brett.porter

As far as I know, it’s not possible to do this.

You might want to have a look around the current list of issues and either upvote anything you think is relevant to you (which will make it more likely to be resolved) or raise a new issue.