diff options
Diffstat (limited to 'doc/ci/pipelines/merge_request_pipelines.md')
-rw-r--r-- | doc/ci/pipelines/merge_request_pipelines.md | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/doc/ci/pipelines/merge_request_pipelines.md b/doc/ci/pipelines/merge_request_pipelines.md index 7b8a2a16734..37febfd90ee 100644 --- a/doc/ci/pipelines/merge_request_pipelines.md +++ b/doc/ci/pipelines/merge_request_pipelines.md @@ -151,7 +151,11 @@ the parent project. Additionally, if you do not trust the fork project's runner, running the pipeline in the parent project uses the parent project's trusted runners. WARNING: -Fork merge requests can contain malicious code that tries to steal secrets in the parent project when the pipeline runs, even before merge. As a reviewer, carefully check the changes in the merge request before triggering the pipeline. Unless you trigger the pipeline through the API or the [`/rebase` quick action](../../user/project/quick_actions.md#issues-merge-requests-and-epics), GitLab shows a warning that you must accept before the pipeline runs. Otherwise, **no warning displays**. +Fork merge requests can contain malicious code that tries to steal secrets in the parent project +when the pipeline runs, even before merge. As a reviewer, carefully check the changes +in the merge request before triggering the pipeline. Unless you trigger the pipeline +through the API or the [`/rebase` quick action](../../user/project/quick_actions.md#issues-merge-requests-and-epics), +GitLab shows a warning that you must accept before the pipeline runs. Otherwise, **no warning displays**. Prerequisites: @@ -168,12 +172,16 @@ To use the UI to run a pipeline in the parent project for a merge request from a 1. In the merge request, go to the **Pipelines** tab. 1. Select **Run pipeline**. You must read and accept the warning, or the pipeline does not run. -You can disable this feature by using [the projects API](../../api/projects.md#edit-project) -to disable the `ci_allow_fork_pipelines_to_run_in_parent_project` setting (enabled by default). -When you disable this setting, new pipelines from forks in the parent project are prevented. +### Prevent pipelines from fork projects + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325189) in GitLab 15.3. + +To prevent users from running new pipelines for fork projects in the parent project +use [the projects API](../../api/projects.md#edit-project) to disable the `ci_allow_fork_pipelines_to_run_in_parent_project` +setting. WARNING: -Older pipelines created before the setting was disabled are not affected and continue to run. +Pipelines created before the setting was disabled are not affected and continue to run. If you rerun a job in an older pipeline, the job uses the same context as when the pipeline was originally created. |