Notify developers to verify access controls for new or updated artifacts in CI YAML files
Overview
This is an action item for !150907 (comment 1881392621).
Since gitlab-org/gitlab
is public, any artifacts without the artifacts:access
keyword in CI YAML files could be accessed by anyone. So, whenever artifacts are added or updated, it's important to ensure they do not contain sensitive data. If they do, the artifacts:access
keyword should be used to determine who can access the job artifacts.
Proposal
Introduce a new workflow that triggers a discussion note when job artifacts are added or updated within a MR. This discussion note should prompt the MR author to verify whether the artifacts should have restricted download access. If so, the author must restrict download access to these job artifacts to only project team members with a Developer+
role.