I have a private project on gitlab.com and it has lots of “Publicly accessible deploy keys” that I didn’t add. I googled this problem but there is only one reference:
These are some of the keys:
Rewind
CFMM Ansible Deployment
LRM Puppet Test
gitlab-runner (lion)
deploy@jasmine
deployer@stridsberg.nu
test-server
gitlab-runner
kijkmijnhuis@SensioLabsInsight
What are they doing there?
I guess this is it:
https://docs.gitlab.com/ce/ssh/README.html#global-shared-deploy-keys
Global Shared Deploy keys allow read-only or read-write (if enabled) access to be configured on any repository in the entire GitLab installation. [emphasis mine]
I wonder why they are there though.
I have the same question. It’s quite worrying, is our private repo exposed to some public services?
Have you found out more about this? Actually it seems that you have to enable them first. So by default, they are disabled.
This is really horrible/dangerous UX IMO. It’s extremely alarming to browse to the deploy keys section of your private repository and see a bunch of “public deploy keys” already added there. Either the messaging on that page or the documentation should be changed to clarify what’s happening. e.g. can anyone with the associated private key of one of those public keys access our private repo? Seems like the answer is “no, unless you enable the key”, but it’s not immediately clear from the page or the docs.
Hi @milesrichardson,
thanks for the feedback. Mind opening an issue with your proposal?
Cheers,
Michael