Gitlab dependency bot cannot push dev image from forked repo
MR: fix image registry push issue by always pushing... (!1 - merged)
Description
The forked repo that renovate-bot creates opens MRs targeting the upstream repos. However the fork does not have access to CI variables to prevent malicious dependencies from uploading secrets. This affects workspace tools workflow as the fork is unable to push dev images to the registry as seen in Update dependency gitlab-org/gitlab-vscode-exte... (gitlab-org/remote-development/gitlab-workspaces-tools!7 - closed) . Dev images are used for testing.
The current workaround is to checkout the branch locally, trigger a local build and use that image for validation.
Proposed fixes:
Ideally we should look at how other GitLab repos are handling this. But we have our own ideas as well:
stop publishing dev images to the registry, rather make them pipeline artifacts you can downloadadd ci variable to the renovate fork to allow it to push images
We have decided to push the test images to the renovate repo fork as we see some gitlab repos using similar patterns see:gitlab-org/remote-development/gitlab-workspaces-tools#6 (comment 1987617732).
Acceptance Criteria
-
set the image default to the workspace-tools registry, but always source the current image repo in the pipelin from CI registry variable -
Update the documentation to highlight this part of the workflow.