diff --git a/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue b/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
index e22eb494fa0ef0406fccb990a1261854b0c25fea..2be69de182420b63310d6a0d09e2ff1a372c9055 100644
--- a/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
+++ b/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
@@ -265,7 +265,7 @@ export default {
},
),
userPermissionsDocsPath: helpPagePath('user/permissions.md', {
- anchor: 'gitlab-cicd-permissions',
+ anchor: 'cicd',
}),
};
</script>
diff --git a/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue b/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
index d9c609c3042d47bfe5fdc6bc61276e15710e9fb3..ca304ffa793e861732a821c5724b573647e18e6c 100644
--- a/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
+++ b/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
@@ -207,7 +207,7 @@ export default {
anchor: 'prerequisites',
}),
userPermissionsDocsPath: helpPagePath('user/permissions.md', {
- anchor: 'gitlab-cicd-permissions',
+ anchor: 'cicd',
}),
runPipelinesInTheParentProjectHelpPath: helpPagePath(
'/ci/pipelines/merge_request_pipelines.html',
diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md
index ef77a93792ffe62d6d0ac3a13f9f84a784fd1c96..a57cf027257041d8122bff9adb93008b40b971db 100644
--- a/doc/ci/debugging.md
+++ b/doc/ci/debugging.md
@@ -408,7 +408,7 @@ To resolve this, check that:
- The path of the project is in the format `my-group/my-project` and does not include
any folders in the repository.
- The user running the pipeline is a [member of the projects](../user/project/members/index.md#add-users-to-a-project)
- that contain the included files. Users must also have the [permission](../user/permissions.md#job-permissions)
+ that contain the included files. Users must also have the [permission](../user/permissions.md#cicd)
to run CI/CD jobs in the same projects.
### `The parsed YAML is too big` message
diff --git a/doc/ci/environments/protected_environments.md b/doc/ci/environments/protected_environments.md
index 3cb4e389577215d3aea30976826f692ebaaebbff..94b2d6857105f83de5cedaf1f45e999f8702629c 100644
--- a/doc/ci/environments/protected_environments.md
+++ b/doc/ci/environments/protected_environments.md
@@ -278,6 +278,6 @@ Protected environments can also be used to require manual approvals before deplo
### Reporter can't run a trigger job that deploys to a protected environment in downstream pipeline
-A user who has [deployment-only access to protected environments](#deployment-only-access-to-protected-environments) might **not** be able to run a job if it's with a [`trigger`](../yaml/index.md#trigger) keyword. This is because the job is missing the [`environment`](../yaml/index.md#environment) keyword definition to associate the job with the protected environment, therefore the job is recognized as a standard job that uses [regular CI/CD permission model](../../user/permissions.md#gitlab-cicd-permissions).
+A user who has [deployment-only access to protected environments](#deployment-only-access-to-protected-environments) might **not** be able to run a job if it's with a [`trigger`](../yaml/index.md#trigger) keyword. This is because the job is missing the [`environment`](../yaml/index.md#environment) keyword definition to associate the job with the protected environment, therefore the job is recognized as a standard job that uses [regular CI/CD permission model](../../user/permissions.md#cicd).
See [this issue](https://gitlab.com/groups/gitlab-org/-/epics/8483) for more information about supporting `environment` keyword with `trigger` keyword.
diff --git a/doc/ci/git_submodules.md b/doc/ci/git_submodules.md
index 041ab6275cde01ef991e412af8dc5af738a95058..3a685423605c9af0e76f721f740256eda7c40904 100644
--- a/doc/ci/git_submodules.md
+++ b/doc/ci/git_submodules.md
@@ -118,7 +118,7 @@ To make submodules work correctly in CI/CD jobs:
If you use the [`CI_JOB_TOKEN`](jobs/ci_job_token.md) to clone a submodule in a
pipeline job, the user executing the job must be assigned to a role that has
-[permission](../user/permissions.md#gitlab-cicd-permissions) to trigger a pipeline
+[permission](../user/permissions.md#cicd) to trigger a pipeline
in the upstream submodule project. Additionally, [CI/CD job token access](jobs/ci_job_token.md#control-job-token-access-to-your-project) must be properly configured in the upstream submodule project.
## Troubleshooting
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index ea9a304c65c2d7cd8b5532e5023f2ffbb18b9f93..553000e33d21637f0f359b796e0e3f01a2f72b43 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -19,7 +19,7 @@ Use a CI/CD job token to authenticate with certain GitLab features from running
The token receives the same access level as the user that triggered the pipeline,
but has access to fewer resources than a personal access token. A user can cause a job to run
with an action like pushing a commit, triggering a manual job, or being the owner of a scheduled pipeline.
-This user must have a [role that has the required privileges](../../user/permissions.md#gitlab-cicd-permissions)
+This user must have a [role that has the required privileges](../../user/permissions.md#cicd)
to access the resources.
You can use a job token to authenticate with GitLab to access another group or project's resources (the target project).
diff --git a/doc/ci/jobs/job_troubleshooting.md b/doc/ci/jobs/job_troubleshooting.md
index d35bca87a218af2c7d6993cb4cd285bbca11cf1e..79f21651fdcc1c77d0f836a30c4a4391ee9c76eb 100644
--- a/doc/ci/jobs/job_troubleshooting.md
+++ b/doc/ci/jobs/job_troubleshooting.md
@@ -55,7 +55,7 @@ depending on factors like the keyword used, or the shell and OS of the runner.
You might see pipelines fail when a GitLab administrator runs a protected manual job
in a private project.
-CI/CD jobs usually clone the project when the job starts, and this uses [the permissions](../../user/permissions.md#job-permissions)
+CI/CD jobs usually clone the project when the job starts, and this uses [the permissions](../../user/permissions.md#cicd)
of the user that runs the job. All users, including administrators, must be direct members
of a private project to clone the source of that project. [An issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/23130)
to change this behavior.
diff --git a/doc/ci/pipelines/merge_request_pipelines.md b/doc/ci/pipelines/merge_request_pipelines.md
index 5776ea8283f91b0877123fc4c1f5dd26e5d650db..d8bbe83f64e9a25418b3df94299e38277f571e50 100644
--- a/doc/ci/pipelines/merge_request_pipelines.md
+++ b/doc/ci/pipelines/merge_request_pipelines.md
@@ -118,7 +118,7 @@ Prerequisites:
- The parent project's `.gitlab-ci.yml` file must be configured to
[run jobs in merge request pipelines](#prerequisites).
-- You must be a member of the parent project with [permissions to run CI/CD pipelines](../../user/permissions.md#gitlab-cicd-permissions).
+- You must be a member of the parent project with [permissions to run CI/CD pipelines](../../user/permissions.md#cicd).
You might need additional permissions if the branch is protected.
- The fork project must be [visible](../../user/public_access.md) to the
user running the pipeline. Otherwise, the **Pipelines** tab does not display
diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md
index 86609ebe5f3e3a93ad9fcef45f2b77ac2f14898a..68a375aa4c4b06ddc34e205006020f8dd119feff 100644
--- a/doc/ci/pipelines/settings.md
+++ b/doc/ci/pipelines/settings.md
@@ -67,7 +67,7 @@ To change the pipeline visibility for non-project members:
- **Everyone With Access**: Non-project members can also view pipelines.
1. Select **Save changes**.
-The [CI/CD permissions table](../../user/permissions.md#gitlab-cicd-permissions)
+The [CI/CD permissions table](../../user/permissions.md#cicd)
lists the pipeline features non-project members can access when **Everyone With Access**
is selected.
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 6c4ea8ee3e84e2fcb98ce5e16523bd7ce180257a..37d8c5d626d03005ddfb3592879307c76166e7a2 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -1020,7 +1020,7 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
#### Access to debug logging
-Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#gitlab-cicd-permissions). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
+Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#cicd). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
- The [`.gitlab-ci.yml` file](#define-a-cicd-variable-in-the-gitlab-ciyml-file).
- The CI/CD variables set in the GitLab UI.
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 5dea059437d76558bee0ddc80e114b1e4e53f586..30bd7180845e1533e4df7a61c4708149318b3c33 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -92,13 +92,10 @@ The following table lists project permissions available for each role:
| [Project operations](../operations/index.md):<br>Manage [Error Tracking](../operations/error_tracking.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md):<br>Reposition comments on images (posted by any user) | ✓ | ✓ | ✓ | ✓ | ✓ | Applies only to comments on [Design Management](project/issues/design_management.md) designs. |
| [Projects](project/index.md):<br>View [Insights](project/insights/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | |
-| [Projects](project/index.md):<br>View [releases](project/releases/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets). |
| [Projects](project/index.md):<br>View [Requirements](project/requirements/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>View [time tracking](project/time_tracking.md) reports | ✓ | ✓ | ✓ | ✓ | ✓ | On self-managed GitLab instances, users with the Guest role are able to perform this action only on public and internal projects (not on private projects). [External users](../administration/external_users.md) must be given explicit access (at least the **Reporter** role) even if the project is internal. Users with the Guest role on GitLab.com are only able to perform this action on public projects because internal visibility is not available. |
| [Projects](project/index.md):<br>Create [snippets](snippets.md) | | ✓ | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>View [project traffic statistics](../api/project_statistics.md) | | ✓ | ✓ | ✓ | ✓ | |
-| [Projects](project/index.md):<br>Create, edit, delete [releases](project/releases/index.md) | | | ✓ | ✓ | ✓ | If the [tag is protected](project/protected_tags.md), this depends on the access given to Developers and Maintainers. |
-| [Projects](project/index.md):<br>Enable [review apps](../ci/review_apps/index.md) | | | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>Add [deploy keys](project/deploy_keys/index.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md):<br>Manage [Project Operations](../operations/index.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md): View [Usage Quotas](usage_quotas.md) page | | | | ✓ | ✓ | |
@@ -131,6 +128,66 @@ Project permissions for [application security](application_security/secure_your_
| Create or assign [security policy project](application_security/policies/index.md) | | | | | ✓ | |
| Manage [security configurations](application_security/configuration/index.md) | | | | | ✓ | |
+### CI/CD
+
+[GitLab CI/CD](../ci/index.md) permissions for some roles can be modified by these settings:
+
+- [Public pipelines](../ci/pipelines/settings.md#change-which-users-can-view-your-pipelines):
+ When set to public, gives access to certain CI/CD features to *Guest* project members.
+- [Pipeline visibility](../ci/pipelines/settings.md#change-pipeline-visibility-for-non-project-members-in-public-projects):
+ When set to **Everyone with Access**, gives access to certain CI/CD "view" features to *non-project* members.
+
+Project Owners can do any listed action, and also can delete pipelines:
+
+| Action | Non-member | Guest | Reporter | Developer | Maintainer | Notes |
+|--------------------------------------------------------------------------------------------------------------------------------|:----------:|:-----:|:--------:|:---------:|:----------:|-------|
+| See that artifacts exist | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| View a list of jobs | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View and download artifacts | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public, **Public pipelines** is enabled in **Project Settings > CI/CD**, and [`artifacts:public: false`](../ci/yaml/index.md#artifactspublic) is not set on the job.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD** and `artifacts:public: false` is not set on the job.<br>Reporters: Only if `artifacts:public: false` is not set on the job. |
+| View [environments](../ci/environments/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| View job logs and job details page | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View pipelines and pipeline details pages | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View pipelines tab in MR | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| [View vulnerabilities in a pipeline](application_security/vulnerability_report/pipeline.md#view-vulnerabilities-in-a-pipeline) | | ✓ | ✓ | ✓ | ✓ | Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| Run deployment job for a protected environment | | | ✓ | ✓ | ✓ | Reporters: Only if the user is [part of a group with access to the protected environment](../ci/environments/protected_environments.md#deployment-only-access-to-protected-environments).<br>Developers and maintainers: Only if the user is [allowed to deploy to the protected branch](../ci/environments/protected_environments.md#protecting-environments). |
+| View and download project [Secure Files](../api/secure_files.md) | | | | ✓ | ✓ | |
+| Retry jobs | | | | ✓ | ✓ | |
+| Cancel jobs | | | | ✓ | ✓ | Cancellation permissions can be [restricted in the pipeline settings](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). |
+| Create new [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
+| Enable [review apps](../ci/review_apps/index.md) | | | | ✓ | ✓ | |
+| Delete job logs or job artifacts | | | | ✓ | ✓ | Developers: Only if the job was triggered by the user and runs for a non-protected branch. |
+| Run CI/CD pipeline | | | | ✓ | ✓ | |
+| Run CI/CD job | | | | ✓ | ✓ | |
+| Run CI/CD pipeline for a protected branch | | | | ✓ | ✓ | Developers and maintainers: Only if the user is [allowed to merge or push to the protected branch](../ci/pipelines/index.md#pipeline-security-on-protected-branches). |
+| Stop [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
+| View a job with [debug logging](../ci/variables/index.md#enable-debug-logging) | | | | ✓ | ✓ | |
+| Use pipeline editor | | | | ✓ | ✓ | |
+| Run [interactive web terminals](../ci/interactive_web_terminal/index.md) | | | | ✓ | ✓ | |
+| Add project runners to project | | | | | ✓ | |
+| Clear runner caches manually | | | | | ✓ | |
+| Enable instance runners in project | | | | | ✓ | |
+| Manage CI/CD settings | | | | | ✓ | |
+| Manage job triggers | | | | | ✓ | |
+| Manage project CI/CD variables | | | | | ✓ | |
+| Manage project [Secure Files](../api/secure_files.md) | | | | | ✓ | |
+
+This table shows granted privileges for jobs triggered by specific roles.
+
+Project Owners can do any listed action, but no users can push source and LFS together.
+Guest users and members with the Reporter role cannot do any of these actions.
+
+| Action | Developer | Maintainer | Notes |
+|----------------------------------------------|:---------:|:----------:|-------|
+| Clone source and LFS from current project | ✓ | ✓ | |
+| Clone source and LFS from public projects | ✓ | ✓ | |
+| Clone source and LFS from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
+| Clone source and LFS from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
+| Pull container images from current project | ✓ | ✓ | |
+| Pull container images from public projects | ✓ | ✓ | |
+| Pull container images from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
+| Pull container images from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
+| Push container images to current project | ✓ | ✓ | You cannot push container images to other projects. |
+
### Compliance
Project permissions for [compliance](compliance/index.md) features including compliance center, audit events, compliance frameworks, and licenses.
@@ -228,6 +285,8 @@ Project permissions for [project features](project/organize_work_with_projects.m
|---------------------------------------------------------------------------|:-----:|:--------:|:---------:|:----------:|:-----:|-------|
| Download project | ✓ | ✓ | ✓ | ✓ | ✓ | On self-managed GitLab instances, users with the Guest role are able to perform this action only on public and internal projects (not on private projects). [External users](../administration/external_users.md) must be given explicit access (at least the **Reporter** role) even if the project is internal. Users with the Guest role on GitLab.com are only able to perform this action on public projects because internal visibility is not available. |
| Leave comments | ✓ | ✓ | ✓ | ✓ | ✓ | |
+| View [releases](project/releases/index.md) | | | ✓ | ✓ | ✓ | Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets). |
+| Manage [releases](project/releases/index.md) | | | | ✓ | ✓ | If the [tag is protected](project/protected_tags.md), this depends on the access given to Developers and Maintainers. |
| Configure [webhooks](project/integrations/webhooks.md) | | | | ✓ | ✓ | |
| Manage [project access tokens](project/settings/project_access_tokens.md) | | | | ✓ | ✓ | For self-managed GitLab, project access tokens are available in all tiers. For GitLab.com, project access tokens are supported in the Premium and Ultimate tier (excluding [trial licenses](https://about.gitlab.com/free-trial/)). |
| [Export project](project/settings/import_export.md) | | | | ✓ | ✓ | |
@@ -286,68 +345,6 @@ Project permissions for [user management](project/members/index.md).
| Share (invite) projects with groups | | | | ✓ | ✓ | When [Share Group Lock](group/access_and_permissions.md#prevent-a-project-from-being-shared-with-groups) is enabled the project can't be shared with other groups. It does not affect group with group sharing. |
| View 2FA status of members | | | | ✓ | ✓ | |
-### GitLab CI/CD permissions
-
-[GitLab CI/CD](../ci/index.md) permissions for some roles can be modified by these settings:
-
-- [Public pipelines](../ci/pipelines/settings.md#change-which-users-can-view-your-pipelines):
- When set to public, gives access to certain CI/CD features to *Guest* project members.
-- [Pipeline visibility](../ci/pipelines/settings.md#change-pipeline-visibility-for-non-project-members-in-public-projects):
- When set to **Everyone with Access**, gives access to certain CI/CD "view" features to *non-project* members.
-
-Project Owners can do any listed action, and also can delete pipelines:
-
-| Action | Non-member | Guest | Reporter | Developer | Maintainer | Notes |
-|--------------------------------------------------------------------------------------------------------------------------------|:----------:|:-----:|:--------:|:---------:|:----------:|-------|
-| See that artifacts exist | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| View a list of jobs | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View and download artifacts | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public, **Public pipelines** is enabled in **Project Settings > CI/CD**, and [`artifacts:public: false`](../ci/yaml/index.md#artifactspublic) is not set on the job.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD** and `artifacts:public: false` is not set on the job.<br>Reporters: Only if `artifacts:public: false` is not set on the job. |
-| View [environments](../ci/environments/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| View job logs and job details page | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View pipelines and pipeline details pages | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View pipelines tab in MR | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| [View vulnerabilities in a pipeline](application_security/vulnerability_report/pipeline.md#view-vulnerabilities-in-a-pipeline) | | ✓ | ✓ | ✓ | ✓ | Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| Run deployment job for a protected environment | | | ✓ | ✓ | ✓ | Reporters: Only if the user is [part of a group with access to the protected environment](../ci/environments/protected_environments.md#deployment-only-access-to-protected-environments).<br>Developers and maintainers: Only if the user is [allowed to deploy to the protected branch](../ci/environments/protected_environments.md#protecting-environments). |
-| View and download project [Secure Files](../api/secure_files.md) | | | | ✓ | ✓ | |
-| Retry jobs | | | | ✓ | ✓ | |
-| Cancel jobs | | | | ✓ | ✓ | Cancellation permissions can be [restricted in the pipeline settings](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). |
-| Create new [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
-| Delete job logs or job artifacts | | | | ✓ | ✓ | Developers: Only if the job was triggered by the user and runs for a non-protected branch. |
-| Run CI/CD pipeline | | | | ✓ | ✓ | |
-| Run CI/CD job | | | | ✓ | ✓ | |
-| Run CI/CD pipeline for a protected branch | | | | ✓ | ✓ | Developers and maintainers: Only if the user is [allowed to merge or push to the protected branch](../ci/pipelines/index.md#pipeline-security-on-protected-branches). |
-| Stop [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
-| View a job with [debug logging](../ci/variables/index.md#enable-debug-logging) | | | | ✓ | ✓ | |
-| Use pipeline editor | | | | ✓ | ✓ | |
-| Run [interactive web terminals](../ci/interactive_web_terminal/index.md) | | | | ✓ | ✓ | |
-| Add project runners to project | | | | | ✓ | |
-| Clear runner caches manually | | | | | ✓ | |
-| Enable instance runners in project | | | | | ✓ | |
-| Manage CI/CD settings | | | | | ✓ | |
-| Manage job triggers | | | | | ✓ | |
-| Manage project CI/CD variables | | | | | ✓ | |
-| Manage project [Secure Files](../api/secure_files.md) | | | | | ✓ | |
-| Use [environment terminals](../ci/environments/index.md#web-terminals-deprecated) | | | | | ✓ | |
-
-#### Job permissions
-
-This table shows granted privileges for jobs triggered by specific roles.
-
-Project Owners can do any listed action, but no users can push source and LFS together.
-Guest users and members with the Reporter role cannot do any of these actions.
-
-| Action | Developer | Maintainer | Notes |
-|----------------------------------------------|:---------:|:----------:|-------|
-| Clone source and LFS from current project | ✓ | ✓ | |
-| Clone source and LFS from public projects | ✓ | ✓ | |
-| Clone source and LFS from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
-| Clone source and LFS from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
-| Pull container images from current project | ✓ | ✓ | |
-| Pull container images from public projects | ✓ | ✓ | |
-| Pull container images from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
-| Pull container images from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
-| Push container images to current project | ✓ | ✓ | You cannot push container images to other projects. |
-
### GitLab Duo
Project permissions for [GitLab Duo](gitlab_duo/index.md):
@@ -378,10 +375,6 @@ The following table lists group permissions available for each role:
| View metrics dashboard annotations | | ✓ | ✓ | ✓ | ✓ | |
| Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ | |
| View group audit events | | | ✓ | ✓ | ✓ | Developers and Maintainers can only view events based on their individual actions. |
-| View group runners | | | | ✓ | ✓ | |
-| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ | |
-| Manage group level CI/CD variables | | | | | ✓ | |
-| Manage group runners | | | | | ✓ | |
| Map or unmap workspace cluster agents to and from a group | | | | | ✓ | |
| View workspace cluster agents mapped to a group | | | | ✓ | ✓ | |
@@ -396,6 +389,18 @@ Group permissions for [Application Security](application_security/secure_your_ap
| View [security dashboard](application_security/security_dashboard/index.md) | | | ✓ | ✓ | ✓ | |
| Create or assign [security policy project](application_security/policies/index.md) | | | | | ✓ | |
+### CI/CD
+
+Group permissions for [CI/CD](../ci/index.md):
+
+| Action | Guest | Reporter | Developer | Maintainer | Owner | Notes |
+|---------------------------------------|:-----:|:--------:|:---------:|:----------:|:-----:|-------|
+| Manage group-level Kubernetes cluster | | | | ✓ | ✓ | |
+| View group runners | | | | ✓ | ✓ | |
+| Manage group runners | | | | | ✓ | |
+| Manage group level CI/CD variables | | | | | ✓ | |
+| Manage group protected environments | | | | | ✓ | |
+
### Compliance
Groups permissions for [compliance](compliance/index.md) features including compliance center, audit events, compliance frameworks, and licenses.
diff --git a/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js b/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
index 147a9b554829b74f3c5d2666f001138122e2cc0a..f7e036adb3f811438a629b4804581c8096c5ab27 100644
--- a/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
+++ b/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
@@ -171,7 +171,7 @@ describe('PipelinesTableWrapper component', () => {
'/help/ci/pipelines/merge_request_pipelines.md#prerequisites',
);
expect(findUserPermissionsDocsLink().attributes('href')).toBe(
- '/help/user/permissions.md#gitlab-cicd-permissions',
+ '/help/user/permissions.md#cicd',
);
expect(findEmptyState().text()).toContain('To run a merge request pipeline');
diff --git a/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js b/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
index 0393254c7c1d95ea6912ad0244905bf591ae6029..f50ae43349ec115de3885f8ab7ac94b0c66a2612 100644
--- a/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
+++ b/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
@@ -93,7 +93,7 @@ describe('Pipelines table in Commits and Merge requests', () => {
'/help/ci/pipelines/merge_request_pipelines.md#prerequisites',
);
expect(findUserPermissionsDocsLink().attributes('href')).toBe(
- '/help/user/permissions.md#gitlab-cicd-permissions',
+ '/help/user/permissions.md#cicd',
);
expect(findEmptyState().text()).toContain(
'To run a merge request pipeline, the jobs in the CI/CD configuration file must be configured to run in merge request pipelines ' +