Security issues with trigger token

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

The goal is to run unit tests on students submissions without the students having access to the tests or the repo containing the tests .
I created a group “submissions” and under that
repo grading-control which contains the tests and .gitlab-ci.yml that initiates the tests
repo for each student containing the student code and their own (identical) .gitlab-ci.yml that triggers the .gitlab-ci.yml in repo grading-control using curl and a trigger token in grading-control.

My question(s)

  1. is there a better way to achieve this
  2. Is using trigger token “safe”. Students will not be able to view, modify, clone… repo grading-control

Steps to reproduce

My understanding is .gitlab-ci.yml is “run” with privilege of the owner of grading-report (me) but only allowed to trigger pipelines (i.e. cannot be used to view, clone… repo grading-control)

Configuration

Below is the content of .gitlab-ci.yml in students repos
stages:
- submit
trigger_grading:
stage: submit
script:
- | curl -X POST \ -F token="trigger token value" \ -F ref="main" \ -F "variables[STUDENT_PROJECT_ID]=$CI_PROJECT_ID" \ -F "variables[STUDENT_URL]=$CI_PROJECT_URL" \ "http://host/api/v4/projects/1/trigger/pipeline"

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Dedicated
  • Self-hosted Runners

Versions

  • GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info):
  • GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version):

Helpful resources

  1. Check the FAQ for helpful documentation, issues/bugs/feature proposals, and troubleshooting tips.
  2. Before opening a new topic, make sure to search for keywords in the forum search
  3. Check the GitLab and GitLab Runner projects for existing issues. If you encounter a bug, please create a bug report issue.
  4. Review existing troubleshooting docs.

Thanks for taking the time to be thorough in your request, it really helps! :blush:

Your approach is sound. The key improvement is storing the trigger token as a masked CI variable instead of hardcoding it. Trigger tokens alone don’t provide access to the private grading repo, but be careful not to expose tests through logs or artifacts. Also consider CI_JOB_TOKEN or multi-project pipelines for tighter security and easier management.