Preventing Crypto Mining abuse on GitLab.com SaaS

@whaber, Hello!

In our project we have two members that are verified and one that is not. We also don’t have personal runners, so we only use shared ones. How do I configure my pipeline not to be triggered by non-verified user?

Currently workflow:rules section looks like that:

workflow:
  rules:
    - if: $GITLAB_USER_ID == "xxxxxxxx"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "dev"

But this fail due to trigger user not being verified seems to happen earlier than pipeline follows workflow:rules (this is only a guess).

What would you recommend?

Hey @anton2920,

You are correct that user verification occurs before the evaluation of workflow:rules.

How do I configure my pipeline not to be triggered by non-verified user?

The user verification takes care of this without any additional pipeline configuration. Please let us know if thats not what you’re experiencing, or if theres something else that you’re trying to achieve that you’d like us to help you with.

1 Like

@jayswain, thanks for the quick confirmation.

I mean, yeah, pipeline won’t finish if user is not verified, that’s correct. But it’s still started. After that it instantly fails. We have a Slack notifications set up if pipeline fails. Also Jira shows that build failed. Also it’s displayed as failed pipeline on GitLab itself. It’s kind of annoying.

The think I’m trying to achieve is to prevent pipeline from even trying to start if it caused by a non-verified user, so we still can have notification settings we have right now, and it’s not flooded with fail messages.

Ah, I see the frustration @anton2920.

Would Push options be a solution that works for your team?

@jayswain, thanks! I’ve tested it and here are the results.

If you create new branch and merge request like that:

git branch new_branch
git checkout new_branch
git push origin new_branch -o merge_request.create -o ci.skip

two pipelines will be created, one for branch will be skipped and one for MR will fail (ouch). Same results if you just push the branch with -o ci.skip and create MR using GitLab website, which makes sense. All that seems to be in sync with documentation.

If you push to existing branch and MR, two pipelines will be created (for push to branch and push to MR) and both of them will be skipped. Which seems good to our team but otherwise a bug, as documentation states:

Only skips branch pipelines and not merge request pipelines.

Probably I don’t understand what exactly should be skipped, so it’s up to you to draw conclusions :wink:

Still, I’ll consider this method as a workaround, as every branch created from Jira, every MR that is created with whatever method and every accidental push that forgets this option will result in a pipeline failure and a lot of notification noise after that :slight_smile:

Also, pipelines although skipped are still created and CI/CD log with all pipelines is now getting a bit messy with these. So the amount of work needed to clean this up remains the same.

yep this is a big problem but we have a solution i have a idea we could resrit crypto mining or something like that