Doing some research about setting up a project using gitlab runners for running tests in a CI pipeline. Artifacts from a sensitive project would be pushed to a downstream pipeline where they would be used in tests
These tests would run on computers that are in a not so secure location. Is there a risk that the upstream project could be accessed with data from one of the downstream gitlab-runners(other than the artifacts)? I guess there are tokens on the downstream gitlab-runners, could these be used to access something else than the artifacts specified in the pipeline?
You should be using variables under Project → Settings → CI/CD → Variables to store tokens. You shouldn’t be storing them in code or in .gitlab-ci.yml either.
Runners connect to your Gitlab server over HTTPS and poll for pipeline jobs. They will then pick up the job and then run it. The artifacts from the job are then pushed and stored in your Gitlab project on your server.
If a runner is compromised, you just delete it from within your Gitlab server so that it can no longer communicate with it. Even if it could still communicate, it is only there as a connection to pick up CI/CD jobs. Once the jobs finish, there shouldn’t be anything on the runner at least as far as I am aware.