Restrict a file to being edited in gitlab (.gitlab-ci.yml)

Question

as you know We have a file for gitlab ci configuration named '.gitlab-ci.yml'

and this file shouldn't be edited by any developers so I decided to avoid developers to edit it.

the thing is gitlab said you can lock file to being edited but the prerequirement of this action is to have a premium account.

what can I do when I haven't premium account?

do you have any idea to lock a file to being edited?

Answer 1

Check if you have access to a Push Rule feature, which is a kind of pre-receive hook.

Or you can set a pre-receive hook if your GitLab server is on-premise.

In both cases, you can list the files being pushed in that hook, and fails if one of them is .gitlab-ci.yml.

Answer 2

As of today, the official way (~workaround~) for this seems to be creating a different repository for the .yml file with more restrict permissions and then referencing that .yml file from your project:

A .gitlab-ci.yml may contain rules to deploy an application to the production server. This deployment usually runs automatically after pushing a merge request. To prevent developers from changing the .gitlab-ci.yml, you can define it in a different repository. The configuration can reference a file in another project with a completely different set of permissions (similar to separating a project for deployments). In this scenario, the .gitlab-ci.yml is publicly accessible, but can only be edited by users with appropriate permissions in the other project.

https://docs.gitlab.com/ee/ci/environments/deployment_safety.html#protect-gitlab-ciyml-from-change

Also, there is a discussion on this matter here:

https://gitlab.com/gitlab-org/gitlab/-/issues/15632