Introduction
One of the more fun things in 2024 is evaluating software for use as part of a CI/CD pipeline. I think that kicking off a CI/CD pipeline should involve some kind of human intervention in the form of a person with a gpg smartcard, or a HSM-powered server (which, to kick off a build via the server, requires a 2FA auth login with a hardware token).
The problem
I want to be able to reject unsigned commits from build repositories. Signing git commits on smaller repositories in a no-brainer.
Where gitlab fails
It seems Push rules are a paywalled feature, which costs 30USD/month/user.
How to do it in gitlab CE
Server side hooks might be a solution.
Other gitlab problems
https://gitlab.com/gitlab-org/gitlab-foss/-/issues/36829
Signing with yubikey subkeys still results in an unverified commit, while the same feature works on github.
I am suddenly very motivated to look at alternatives. Gitea might provide a good alternative to gitlab, especially since they finally have a gitea-runner to run CI/CD jobs (https://about.gitea.com/products/runner/). This might be an excellent option for smaller shops; I hope I can cover gitea in a future article.