Hello,
I want to prevent unauthorized developers from deploying to production environment. According to the docs this can be achieved by “Protected Environments”. But I wonder if this is really secure. A malicious developer could just change the gitlab-ci.yml file and remove the environment from the production deployment task.
So I came up with an idea how to prevent this:
- add an environment variable
DEPLOYMENT_KEYand limit scope to environment “production” - put deployment shell commands in a shell script
deploy.shwhich can only be accessed by a separate userdeployer - sudoers entry allows gitlab-runner to execute deployment script as user “deployer”
gitlab-runner ALL = (deployer) NOPASSWD: /opt/deployment/deploy.sh- this prevents a malicious user from manipulating the deployment script with respective ci-script commands
- gitlab ci-script:
sudo -u deployer /opt/deployment/deploy
- the deployment script checks the hash of the secret before deploying
[ "$(echo -n $DEPLOYMENT_KEY | sha256sum)" != "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 -" ] && echo "invalid key" && exit 1;
But I wonder if the environment variable is really secure or if there is a way to circumvent the protection by tampering with gitlab-ci.yml