I spent couple hours trying to sort permissions in Gitlab CI.
And it seems, that Gitlab has no good permissions/security system - if you give developer access to the project, which has a way of deploying to Produciton, that developer will have a way to access Production one way or another.
What to do about that?
Currently, I’m contemplating this solution:
- keep the code in the current project. No CI in it. Or CI with staging only.
- create new fork, which will have Production CI. So the only purpose of that fork (project) would be deploy and access to PROD environment(s). I may add developers to that project as reporters, with limited permissions.
In such setup, to deploy to PROD, I’ll create and merge MR to that fork.
I want to hear, what people say about such setup