The CI/CD system at ucsc-ci.com should allow developers to push to it directly, but it should also only allow trusted developers.
Currently this is not implemented. Developers can authenticate two ways:
git over ssh
git over https
git over ssh: ucsc-ci.com does not allow direct pushing via git over SSH (authentication via public SSH key) because port 22 of ucsc-ci.com is closed to the outside.
git over https: Normally you can push via https (authentication can be done via an access token in the URL). But this doesn't protect any branches, so malicious actors could modify scripts or add commands that do bad things.
git over https with push protection: The gitlab repo provides an option to only allow pushes from users with Gitlab accounts on ucsc-ci.com, but this breaks authentication with access keys over https. When pushing over https with an access key, the action is not performed by the developer's normal gitlab user account, it is a different account.
We need to figure out a way to allow trusted users to push to the data store repo on ucsc-ci.com
The CI/CD system at ucsc-ci.com should allow developers to push to it directly, but it should also only allow trusted developers.
Currently this is not implemented. Developers can authenticate two ways:
git over ssh: ucsc-ci.com does not allow direct pushing via git over SSH (authentication via public SSH key) because port 22 of ucsc-ci.com is closed to the outside.
git over https: Normally you can push via https (authentication can be done via an access token in the URL). But this doesn't protect any branches, so malicious actors could modify scripts or add commands that do bad things.
git over https with push protection: The gitlab repo provides an option to only allow pushes from users with Gitlab accounts on ucsc-ci.com, but this breaks authentication with access keys over https. When pushing over https with an access key, the action is not performed by the developer's normal gitlab user account, it is a different account.
We need to figure out a way to allow trusted users to push to the data store repo on ucsc-ci.com