Using permissions on CI variables

I want to use GitLab CI for production deployment. I have no problem to do it with the environment variables and a job only on a branch.
But if a developer removes the “only master” and made a push on a test branch that is deployed in production.

Is it possible to use the new use permission on CI variables ? Or assign variable to specific branch ?

1 Like

I spent couple hours trying to sort permissions in Gitlab CI.

And it seems, that Gitlab has no good permissions/security system - if you give developer access to the project, which has a way of deploying to Produciton, that developer will have a way to access Production one way or another.

What to do about that?

Currently, I’m contemplating this solution:

  • keep the code in the current project. No CI in it. Or CI with staging only.
  • create new fork, which will have Production CI. So the only purpose of that fork (project) would be deploy and access to PROD environment(s). I may add developers to that project as reporters, with limited permissions.

In such setup, to deploy to PROD, I’ll create and merge MR to that fork.

I want to hear, what people say about such setup

1 Like

Thanks for your reply. This is an interesting alternative, which I had not thought. I’ll test to see if it can go into our workflow.

Until GitLab implement more advanced permissions…

1 Like