Security of protected environments


I want to prevent unauthorized developers from deploying to production environment. According to the docs this can be achieved by “Protected Environments”. But I wonder if this is really secure. A malicious developer could just change the gitlab-ci.yml file and remove the environment from the production deployment task.

So I came up with an idea how to prevent this:

  • add an environment variable DEPLOYMENT_KEY and limit scope to environment “production”
  • put deployment shell commands in a shell script which can only be accessed by a separate user deployer
  • sudoers entry allows gitlab-runner to execute deployment script as user “deployer”
    • gitlab-runner ALL = (deployer) NOPASSWD: /opt/deployment/
    • this prevents a malicious user from manipulating the deployment script with respective ci-script commands
  • gitlab ci-script:
    • sudo -u deployer /opt/deployment/deploy
  • the deployment script checks the hash of the secret before deploying
    • [ "$(echo -n $DEPLOYMENT_KEY | sha256sum)" != "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 -" ] && echo "invalid key" && exit 1;

But I wonder if the environment variable is really secure or if there is a way to circumvent the protection by tampering with gitlab-ci.yml