Allow to create fork MR pipelines in parent project
What does this MR do?
This MR allows non-project members to create pipelines when it's fulfilling the following condition:
- The pipeline is Pipeline for Merge Requests
- The target project enables the project option - "Allow fork pipelines to run in parent"
Related: #11934 (closed)
Resource restriction
Currently, pipelines have a full permission to access any resources in the same project. This means external users also have the same permission once they can create pipelines on the parent project.
In order to prevent from leaking parent's secrets accidentally, we ship a proper permission model on the resource control. See
Feature Flag
This feature is built behind allow_fork_pipelines_in_parent
feature flag and it's disabled by default.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Shinya Maeda