Restrict access to change .gitlab-ci.yml only for main branch and run pipeline only on main

krzysztof-romanowski · December 2, 2024, 11:03am

Problem to solve

I have a pipeline that’s crucial for the business. It maintains user access to various systems. It consist with validation and apply stage. I want that:

it will run apply stage only on main and only with MR
users are able to create branches so that MR can be merged with a narrow group of people
users can’t change .gitlab-ci.yml on their branches, and modify rules so that their can grant permissions to run the apply stage
validation can be run on any branch

How I can achieve that with GitLab?

Self-managed
GitLab.com SaaS
Dedicated
Self-hosted Runners
GitLab SaaS Runners

dnsmichi · December 2, 2024, 2:12pm

If the .gitlab-ci.yml remains in the same project, users can edit it in their branches. A potential solution for that is to define pipeline execution policies, and always run specific jobs / limit access to the CI/CD configuration, living outside of the project.

The CI/CD configuration itself can then use rules to specify when it should be run (main branch, MRs, etc.). Such filtering could also be applied for jobs in the apply stage, and validation jobs that run all the time.

krzysztof-romanowski · December 4, 2024, 12:03pm

Thank you

Topic		Replies	Views
Allow CI/CD running only in master branch How to Use GitLab ci	4	12803	January 22, 2020
Gitlab CI - permissions to run a job GitLab CI/CD	0	774	February 23, 2022
How do i restrict a gitlab stage to be only built on merge request to main branch with manual execution How to Use GitLab	4	1243	June 8, 2023
Pipelines run for all branches GitLab CI/CD ci	1	6412	January 28, 2022
Limit who can call a child pipeline GitLab CI/CD	2	16	November 13, 2024

Restrict access to change .gitlab-ci.yml only for main branch and run pipeline only on main

Problem to solve

Related topics