Setup Question for CI/CD - GPG Keys

Setup Question for CI/CD, with GPG keys

  1. The problem we are trying to solve is security:
    How to ensure a member of the team - who can update and push code - is authorized to push changes to production.`

  2. What I believe is a valid approach is to use GPG keys - have a step in the pipeline that fails if the person who is not allowed to push does not have their keys in a Team GPG repository.

Research done so far indicates I could

  • Setup my own key server
  • In the runner do this;

pseudo shell

gpg2 --batch --keyserver $MyKeyServer --search-keys $value
if $value eq to found
then continue

  1. However I might be over-thinking this approach, or missing something fundamental in the gitlab setup where this ability is baked in.

  2. I appreciate in advance your time.