Securely deploying to production in CI


We’re currently deploying to production as follows:

  • repos have protected production branches
  • repos have privileged special runners which have the rights to deploy to our production AWS account AND can run protected branches
  • we enable the special runners manually for the appropriate repos
  • all other branches run on group runners that execute in the dev AWS account
  • only maintainers can then deploy to production because only they can merge onto production

Now this works fine and seems to be fairly secure. However, a drawback is that we can’t separate the maintainers from the production deployment rights. That means that all maintainer tasks (creating new repos, adding team members and anything maintainers do) must be done by the people having production deployment rights. That’s not what we want.

We could of course protect branches with rights only to specific people. However, maintainers can assign runners as they want to this whole priviledged-runner idea doesn’t work.

How are you handling this? Is there a better way? Is this a limitation by Gitlab?