Preventing Crypto Mining abuse on GitLab.com SaaS

Thanks for the feedback @rbergmann

That is not accurate. Users on paid plans such as premium do not need to validate new users with a credit or debit card. Apologies that you got conflicting information.

1 Like

Thanks for the feedback @ricardorover

Just a suggestion: instead of requiring all new users to provide credit/debit card, can we have something like:

  • if unverified, CI minutes is limited to 60 minutes/month (and have a note that adding the credit/debit card number will verify their account and have a higher limit)
  • if verified, CI minutes is limited to 400 minutes/month

I wouldn’t try GitLab CI if they required a credit/debit card number at the beginning before I even know if it’s what I want

As a student myself, I don’t have a credit card nor a debit card and contacting the sales team is daunting, especially since the page is targeted towards companies, and not individuals

This is a great thought, @hgrnnctwc the only challenge comes with using CI minutes as the trigger for public projects. Public projects aren’t accumulating minutes in the same as private projects. We are looking to change this in the next few milestones in this epic. Please comment on any of those issues if you have any questions!

1 Like

Thanks for this @martin296.

The challenge is Paid is determined by the plan and not by pipeline. Additionally, minutes are accumulated by namespace for private projects only. This could also leave gaps in the abuse vectors.

We have future plans for these minute limit changes in this epic. In regard to the verification at a higher group or namespace level, we are investigating the validity of this option.

Is it possible to use GitLab Pages without shared runners on a free account (without credit card verification)?

Yes. For the plain-html project there is no special tools you need installed. But if you use a SSG (static site generator) like Jekyll or Hugo you would need to set that up first in your own Runner. For example, you can follow the instructions to setup Hugo from that sample project.

2 Likes

Like https://www.idena.io/ ?

Thanks for the reply. I’m very interested in what you come up with. Keep up the good work.

1 Like

Great to see some activity here!

2 Likes

@abitrolly Thanks for the idea!

Among other things, we are currently investigating solutions like https://www.arkoselabs.com/, https://www.ehawk.net/index.php, and also https://www.facetec.com/.

These types of approaches have quite a few benefits and drawbacks.

2 Likes

What about the following approach:
If a user forks an open source project and then makes a merge request back to the forked project, allow the pipelines for the merge request checks to run, as long as they didn’t change the .gitlab-ci.yml file and the project is allowed to run pipelines, even if the user doesn’t have a credit card on their account.

People contributing changes to .gitlab-ci.yml files should be rare, and since they didn’t change it they cannot introduce any cryptomining. If they still want to change something on the .gitlab-ci.yml file, they would need to provide their own runners or add a credit card. I feel this would be a good compromise.

Hi, we are considering this functionality in this epic if you are interested in following!

1 Like

We would love your feedback on potential avenues we may are considering to prevent abuse while also lowering the impact on legitimate users.

Please see the very short survey here: https://forms.gle/tEmPxrQ8H8usAgCu9

I would like to see a slightly more finer control on the runners usage.
We would like to use the CI pipelines with a timely varying group of users. Using the current system requires either to disable the shared runners at all or every user has to authenticate in some way. But jobs, initiated from their commits, mostly use our private runners.
Thus it looks preferable if the authentication is only enforced for jobs, which run on shared runners. Then these jobs must have been pushed by an authenticated user, whereas others do not need the authentication.

I enter my debit card details, it charges and reverts 1$ but never validated my user profile. After a while I get some timeout error. Please help.

Note that we are working to waive credit/debit card validation if a project has paid CI/CD minutes.

Ref: Waive credit card validation if project has CICD minutes (#349835) ¡ Issues ¡ GitLab.org / GitLab ¡ GitLab

I enter my credentials and it just says please wait while we validate. I wait a long time but nothing happen. After that, when i run pipeline, it is pending, not fail and show user validating as first time. How can i do to validate my account

@thangcqUET This is not a problem I have been seen previously. It may be specific to your account. If you haven’t done so already, can you contact the support team? Support | GitLab

As of 2022-01-13, GitLab no longer requires users created after 2021-05-17 to provide a valid credit or debit card in order to run CI jobs hosted at GitLab, if those CI jobs are run on namespaces that have purchased CI minutes that have not been used.

1 Like

Hi, I am helping people from economically unstable countries to learn about free open source coding, linux, command line, git, etc. To give them a place to try out their HTML, Vanilla JS and CSS I recommended them to use gitlab pages. Those people don’t have a credit card and seems they can’t use it anymore. From your post I saw “if they use their own runner and disable shared runners” it should be possible, am I correct? How to disable shared runners and run their own? Is there some documentation for this please? Thank you for helping.

1 Like

Yes, it’s in the documentation, a quick google for “gitlab disable shared runners” would have found it: The scope of runners | GitLab

3 Likes