Setup Question for CI/CD, with GPG keys
-
The problem we are trying to solve is security:
How to ensure a member of the team - who can update and push code - is authorized to push changes to production.` -
What I believe is a valid approach is to use GPG keys - have a step in the pipeline that fails if the person who is not allowed to push does not have their keys in a Team GPG repository.
Research done so far indicates I could
- Setup my own key server
- In the runner do this;
pseudo shell
gpg2 --batch --keyserver $MyKeyServer --search-keys $value
if $value eq to found
then continue
else
email theauthorities@company.com
exit
-
However I might be over-thinking this approach, or missing something fundamental in the gitlab setup where this ability is baked in.
-
I appreciate in advance your time.
~brian