Contrib.social

GitLabCI does not allow MRs from forks opened by non-members to run in the parent project

Open on Drupal.org →
Created on 17 May 2023, almost 2 years ago
Updated 22 September 2023, over 1 year ago

Problem/Motivation

In DrupalCI today, we trigger testing when a user uploads a patch, opens an MR, or hits the manual add-test button.

In GitLabCI, we have configured a template with the following workflow rules to trigger testing: 

workflow:
  rules:
  # These 3 rules from https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Workflows/MergeRequest-Pipelines.gitlab-ci.yml
    # Run on merge requests
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    # Run on tags
    - if: $CI_COMMIT_TAG
    # Run when called from an upstream pipeline https://docs.gitlab.com/ee/ci/pipelines/downstream_pipelines.html?tab=Multi-project+pipeline#use-rules-to-control-downstream-pipeline-jobs
    - if: $CI_PIPELINE_SOURCE == 'pipeline'
    - if: $CI_PIPELINE_SOURCE == 'parent-child'
    # Run on commits to the default branch
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    # The last rule above blocks manual and scheduled pipelines on non-default branch. The rule below allows them:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    # Run if triggered from Web using 'Run Pipelines'
    - if: $CI_PIPELINE_SOURCE == "web"
     # Run if triggered from WebIDE
    - if: $CI_PIPELINE_SOURCE == "webide"

However, GitLab CI places limits on automated pipeline runs based on the permissions of the user running the pipeline:

https://git.drupalcode.org/help/ci/pipelines/merge_request_pipelines.md#...

Specifically:

Project members in the parent project can trigger a merge request pipeline for a merge request submitted from a fork project. This pipeline:

  • Is created and runs in the parent (target) project, not the fork (source) project.
  • Uses the CI/CD configuration present in the fork project's branch.
  • Uses the parent project's CI/CD settings, resources, and project CI/CD variables.
  • Uses the permissions of the parent project member that triggers the pipeline.

Because our collaboration model has collaborators working on a fork without granting them any permissions on the parent project, it means that despite the workflow trigger for running on an open MR - the pipeline will not run if the user opening the MR isn't a project member with sufficient permissions.

The only ways for an MR opened by a non-member to run is:

  • To run the pipeline in the fork itself, where the non-member of the parent project does have permissions
  • For a project member to 'run pipeline' on the merge request manually.
  • (maybe)For a bot user added as a project member to run the pipeline based on a webhook event.

Steps to reproduce

To show that the current configuration is using the merge request trigger correctly:

  • As a project member:
    • open a fork
    • make changes
    • and submit an MR back to the project

The pipelines should run in the parent correctly

To show that the current configuration does not allow non-members to trigger pipelines

  • As a non-member of the project:
    • open a fork
    • make changes
    • and submit an MR back to the project

Note that the MR is open but pipelines have not run.

Proposed resolution

Pending some more testing to validate the problem, the options will be:

Remaining tasks

  • Run the test scenarios
  • Check additional keyword options including triggers, and the 'downstream' and 'upstream' workflow rules, in case they can work around this.
  • Evaluate security tradeoffs of either resolution
  • Decide on one of the proposed resolutions
  • Implement
🐛 Bug report
Status

Fixed

Version

3.0

Component

GitLab integration

Created by

🇺🇸United States hestenet Portland, OR 🇺🇸

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024