I have created a pipeline that includes deploying a Review App if $CI_MERGE_REQUEST_ID is present.
Those jobs do two things
- Build and upload a docker image file to a docker registry (ECR), for this it relies on CI/CD environment variables (with the credentials to the docker registry
AWS_ACCESS_KEY_ID,etc) -
helm upgrade --install --waitto deploy the review app to kubernetes, customizing the ingress address
My problem is that for this to work I need to “un-protect” the CI/CD variables so that they are available in the merge request branch, but that opens anybody that can create a MR to modify the .gitlab-ci.yml and leak the contents of the variables.
Is there any best practice on how to avoid this?
From what I see from the documentation on a first cursory search seems that there are two alternatives
- File locking
- External .gitlab-ci.yml, putting the .gitlab-ci.yml in another repo so that the developer can’t modify it.
Again my concert is that I need to use secrets/credentials in the CI/CD environment variables and I fear that those can leak if the developers make changes to the .gitlab-ci.yml. So how people usually go about this?