• AggressivelyPassive
    link
    fedilink
    41 year ago

    The setup could make sense, if there’s a separate repo that’s pull only. Our ops guys pull our ArgoCD repo, so we can do the actually work, but they control what’s deployed on production.

    However, this seems not to be the case here.

      • AggressivelyPassive
        link
        fedilink
        41 year ago

        Yes, but Gitlab doesn’t allow for easy access rules.

        Basically, OPS wants full control of the repo, since they are the ones being blamed if something goes wrong. There’s no way to enforce, that only a certain set of users can make changes to a branch - all such restrictions can be circumvented rather easily. So the solution is a shadow copy of the repo that only gets updated on release and Argo only deploys a specific tag (i.e. release).

        We’re not talking about just some enterprise microservice, but stuff in the public administration/government sphere. The tradeoffs are a bit different there.

        • @[email protected]
          link
          fedilink
          51 year ago

          I didn’t know that GitLab doesn’t allow that! We use BitBucket and there it’s extremely easy to put branch restrictions so that only certain Usergroups are allowed to merge into the release-branches

          • AggressivelyPassive
            link
            fedilink
            41 year ago

            Bitbucket also doesn’t enforce these rules properly. You can simply change the rules, merge, then change back.

            The only way around that is to restrict every developer account into oblivion and only have an ops guy as repo admin, but I think most ops teams have better things to do.

              • AggressivelyPassive
                link
                fedilink
                41 year ago

                That very much depends on your workflow and team setup. Repo admin for me means “can alter who and how branches can be merged”. That’s usually a job for lead devs.