Security Model? #25
Comments
|
By the way @npalm love the work you do and I am using your GitLab module. The question is around helping me decide if using Actions would suit our security needs and if you guys have figured out a good solution. |
|
@DavidGamba thanks for creating an issue, I will have a look in the next days. |
|
@DavidGamba Thanks for the detailed issue. The github action runners are still in active development as it seems. Given that I really like the event based approach, you can hook a workflow to any given event in the GitHub eco system. But comparing to other system you could colude still some nice features are missing. I see no option at the moment limit access to certain branches and protected secrets. I would suggest you create an issue on the action runner repo https://github.com/actions/runner |
|
Will close the issue, thanks for raising the question. But the questions are in my point of view more question to GitHub. |
Problem to solve
As a project owner I want to limit production runner access to protected branches
Intended users
Repo owners setting up deployment rules
Further details
In GitLab you can tie certain runners to protected branches. This enables us to use runners with production credentials and access levels, separate from the pool of runners available for every other branch.
It provides a security model in which accidental or intentional changes to production are limited to merged code.
Proposal
No proposal, this is a question.
Documentation
Availability & Testing
What does success look like, and how can we measure that?
Other links/references
I asked a similar question in the GitHub Actions community forum:
https://github.community/t5/GitHub-Actions/Limit-self-managed-runners-to-protected-branches/m-p/55943#M9692
The text was updated successfully, but these errors were encountered: