\u062a\u064f\u0639\u062f\u0651 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 GitLab CI\/CD \u0623\u062f\u0648\u0627\u062a \u0642\u0648\u064a\u0629 \u2014 \u0644\u0643\u0646 \u0627\u0644\u0642\u0648\u0629 \u062a\u0623\u062a\u064a \u0645\u0639 \u0627\u0644\u0645\u062e\u0627\u0637\u0631. \u0645\u062a\u063a\u064a\u0651\u0631 \u0648\u0627\u062d\u062f \u062e\u0627\u0637\u0626 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0642\u062f \u064a\u0633\u0631\u0651\u0628 \u0623\u0633\u0631\u0627\u0631\u064b\u0627 \u062d\u0633\u0627\u0633\u0629. \u0645\u064f\u0646\u0641\u0651\u0630 \u063a\u064a\u0631 \u0645\u062d\u062f\u0651\u062f \u0627\u0644\u0646\u0637\u0627\u0642 \u0642\u062f \u064a\u0646\u0641\u0651\u0630 \u0634\u064a\u0641\u0631\u0629 \u062e\u0628\u064a\u062b\u0629. \u0628\u064a\u0626\u0629 \u063a\u064a\u0631 \u0645\u062d\u0645\u064a\u0629 \u0642\u062f \u062a\u0633\u0645\u062d \u0644\u0645\u0637\u0648\u0651\u0631 \u0645\u0628\u062a\u062f\u0626 \u0628\u0627\u0644\u0646\u0634\u0631 \u0645\u0628\u0627\u0634\u0631\u0629 \u0641\u064a \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u062a\u0645\u0646\u062d\u0643 \u0647\u0630\u0647 \u0627\u0644\u0648\u0631\u0642\u0629 \u0627\u0644\u0645\u0631\u062c\u0639\u064a\u0629 \u0623\u0643\u0648\u0627\u062f YAML \u062c\u0627\u0647\u0632\u0629 \u0644\u0644\u0646\u0633\u062e \u0648\u0627\u0644\u0644\u0635\u0642<\/strong> \u0644\u0643\u0644 \u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u062d\u0631\u062c\u0629 \u0641\u064a GitLab CI\u060c \u0645\u0646 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0625\u0644\u0649 \u0627\u062a\u062d\u0627\u062f OIDC.<\/p>\n \u0627\u062d\u0641\u0638 \u0647\u0630\u0647 \u0627\u0644\u0635\u0641\u062d\u0629 \u0641\u064a \u0645\u0641\u0636\u0644\u062a\u0643. \u0627\u0633\u062a\u062e\u062f\u0645\u0647\u0627 \u0643\u0645\u0631\u062c\u0639 \u0623\u0633\u0627\u0633\u064a \u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u062a\u064f\u0647\u064a\u0651\u0626 \u0641\u064a\u0647\u0627 \u0645\u0634\u0631\u0648\u0639\u064b\u0627 \u062c\u062f\u064a\u062f\u064b\u0627 \u0623\u0648 \u062a\u064f\u062f\u0642\u0651\u0642 \u0645\u0634\u0631\u0648\u0639\u064b\u0627 \u0642\u0627\u0626\u0645\u064b\u0627.<\/p>\n \u062a\u062a\u062d\u0643\u0651\u0645 \u0645\u062a\u063a\u064a\u0631\u0627\u062a GitLab CI\/CD \u0641\u064a \u0643\u064a\u0641\u064a\u0629 \u062a\u062f\u0641\u0651\u0642 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0625\u0644\u0649 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0627\u0644\u062e\u0637\u0623 \u0641\u064a \u0636\u0628\u0637\u0647\u0627 \u0647\u0648 \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u0623\u0648\u0644 \u0644\u062a\u0633\u0631\u064a\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0641\u064a CI\/CD. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0643\u0644 \u0642\u064a\u0645\u0629 \u062d\u0633\u0627\u0633\u0629 \u0645\u062d\u0645\u064a\u0629<\/strong> (\u0645\u062a\u0627\u062d\u0629 \u0641\u0642\u0637 \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0648\u0639\/\u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629)\u060c \u0648\u0645\u064f\u0642\u0646\u0651\u0639\u0629<\/strong> (\u0645\u062e\u0641\u064a\u0629 \u0645\u0646 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0645\u0647\u0627\u0645)\u060c \u0648\u062d\u064a\u062b \u064a\u0643\u0648\u0646 \u0630\u0644\u0643 \u0645\u062f\u0639\u0648\u0645\u064b\u0627\u060c \u0645\u062e\u0641\u064a\u0629<\/strong> (\u063a\u064a\u0631 \u0645\u0631\u0626\u064a\u0629 \u0641\u064a \u0648\u0627\u062c\u0647\u0629 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0628\u0639\u062f \u0627\u0644\u0625\u0646\u0634\u0627\u0621).<\/p>\n \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/strong><\/p>\n \u062a\u0646\u0641\u0651\u0630 \u0627\u0644\u0645\u064f\u0646\u0641\u0651\u0630\u0627\u062a (Runners) \u0645\u0647\u0627\u0645 CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0625\u0630\u0627 \u0643\u0627\u0646 \u0623\u064a \u0645\u064f\u0646\u0641\u0651\u0630 \u064a\u0645\u0643\u0646\u0647 \u062a\u0646\u0641\u064a\u0630 \u0623\u064a \u0645\u0647\u0645\u0629\u060c \u0641\u0642\u062f \u064a\u0633\u062a\u063a\u0644\u0651 \u0637\u0644\u0628 \u062f\u0645\u062c \u062e\u0628\u064a\u062b \u0630\u0644\u0643 \u0644\u0633\u0631\u0642\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u0646 \u0645\u064f\u0646\u0641\u0651\u0630 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0646\u0637\u0627\u0642 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a.<\/p>\n \u0623\u0641\u0636\u0644 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a:<\/strong><\/p>\n \u062a\u0636\u064a\u0641 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0628\u0648\u0627\u0628\u0629 \u0628\u0634\u0631\u064a\u0629 \u0642\u0628\u0644 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631. \u0647\u0630\u0627 \u0647\u0648 \u062e\u0637 \u062f\u0641\u0627\u0639\u0643 \u0627\u0644\u0623\u062e\u064a\u0631 \u0636\u062f \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u0651\u062d \u0628\u0647\u0627 \u0641\u064a \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n \u0642\u0645 \u0628\u062a\u0647\u064a\u0626\u0629 \u0630\u0644\u0643 \u0636\u0645\u0646 Settings > CI\/CD > Protected Environments<\/strong> \u0641\u064a \u0648\u0627\u062c\u0647\u0629 \u0645\u0633\u062a\u062e\u062f\u0645 GitLab. \u0627\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u062a\u064a\u0646 \u0639\u0644\u0649 \u0627\u0644\u0623\u0642\u0644<\/strong> \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0646\u0634\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0642\u064a\u0651\u062f \u0648\u0635\u0648\u0644 \u0627\u0644\u0646\u0634\u0631 \u0644\u0645\u062c\u0645\u0648\u0639\u0627\u062a \u0623\u0648 \u0645\u0633\u062a\u062e\u062f\u0645\u064a\u0646 \u0645\u062d\u062f\u062f\u064a\u0646 \u2014 \u0644\u0627 \u062a\u0633\u062a\u062e\u062f\u0645 \u0623\u0628\u062f\u064b\u0627 “All maintainers”.<\/p>\n \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/strong> \u0641\u0639\u0651\u0644 \u062d\u062f\u0651 \u0646\u0637\u0627\u0642 \u0631\u0645\u0632 \u0645\u0647\u0645\u0629 CI\/CD \u0641\u064a \u0643\u0644 \u0645\u0634\u0631\u0648\u0639. \u0623\u0636\u0641 \u0641\u0642\u0637 \u0627\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0627\u062c \u0641\u0639\u0644\u064b\u0627 \u0644\u0644\u0648\u0635\u0648\u0644 \u0639\u0628\u0631 \u0627\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0625\u0644\u0649 \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0645\u0633\u0645\u0648\u062d\u0629. \u0631\u0627\u062c\u0639 \u0627\u0644\u0642\u0648\u0627\u0626\u0645 \u0627\u0644\u0645\u0633\u0645\u0648\u062d\u0629 \u0643\u0644 \u062b\u0644\u0627\u062b\u0629 \u0623\u0634\u0647\u0631.<\/p>\n \u064a\u064f\u0644\u063a\u064a \u0627\u062a\u062d\u0627\u062f OIDC \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f \u0641\u064a \u0645\u062a\u063a\u064a\u0631\u0627\u062a CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0646\u0647\u0627\u0626\u064a\u064b\u0651\u0627. \u064a\u064f\u0635\u062f\u0631 GitLab \u0631\u0645\u0632 JWT \u0642\u0635\u064a\u0631 \u0627\u0644\u0623\u0645\u062f\u060c \u0648\u064a\u0633\u062a\u0628\u062f\u0644\u0647 \u0645\u0632\u0648\u0651\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0624\u0642\u062a\u0629. \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0645\u0639\u064a\u0627\u0631 \u0627\u0644\u0630\u0647\u0628\u064a \u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0641\u064a \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/p>\n \u0639\u0644\u0649 \u062c\u0627\u0646\u0628 \u0627\u0644\u0633\u062d\u0627\u0628\u0629\u060c \u0642\u0645 \u0628\u062a\u0647\u064a\u0626\u0629 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0645\u062b\u0644 \u062a\u0639\u0645\u0644 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u062f\u0645\u062c (Merge Request) \u0639\u0644\u0649 \u0634\u064a\u0641\u0631\u0629 \u0644\u0645 \u062a\u062a\u0645 \u0645\u0631\u0627\u062c\u0639\u062a\u0647\u0627 \u0628\u0639\u062f. \u0639\u0627\u0645\u0644\u0647\u0627 \u0639\u0644\u0649 \u0623\u0646\u0647\u0627 \u063a\u064a\u0631 \u0645\u0648\u062b\u0648\u0642\u0629. \u0644\u0627 \u062a\u0643\u0634\u0641 \u0623\u0628\u062f\u064b\u0627 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0644\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u062f\u0645\u062c.<\/p>\n \u0627\u0644\u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u062d\u0631\u062c\u0629:<\/strong><\/p>\n \u064a\u0644\u062a\u0642\u0637 \u0645\u0627\u0633\u062d \u0643\u0634\u0641 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062f\u0645\u062c \u0641\u064a GitLab \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u064f\u0631\u0633\u0644\u0629 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0627\u0644\u062e\u0637\u0623 \u0642\u0628\u0644 \u0648\u0635\u0648\u0644\u0647\u0627 \u0625\u0644\u0649 \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a.<\/p>\n \u0644\u0645\u0633\u062d \u0623\u0643\u062b\u0631 \u0634\u0645\u0648\u0644\u064b\u0627\u060c \u0623\u0636\u0641 \u0642\u0648\u0627\u0644\u0628 SAST<\/strong> \u0648\u0641\u062d\u0635 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/strong> (dependency scanning) \u0623\u064a\u0636\u064b\u0627:<\/p>\n \u0631\u0627\u062c\u0639 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0641\u064a Security Dashboard<\/strong> (\u0627\u0644\u0645\u062a\u0627\u062d \u0639\u0644\u0649 GitLab Ultimate) \u0623\u0648 \u062d\u0644\u0651\u0644 \u0645\u0644\u0641\u0627\u062a JSON \u0627\u0644\u0646\u0627\u062a\u062c\u0629 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u064a\u0627\u062a \u0627\u0644\u0623\u062f\u0646\u0649.<\/p>\n \u062a\u0641\u0631\u0636 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062f\u0641\u0639 \u0633\u064a\u0627\u0633\u0627\u062a \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 Git \u2014 \u0642\u0628\u0644 \u0623\u0646 \u062a\u062f\u062e\u0644 \u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u062d\u062a\u0649 \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0627\u0633\u062a\u062e\u062f\u0645\u0647\u0627 \u0644\u0645\u0646\u0639 \u062f\u0641\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0648\u0641\u0631\u0636 \u0645\u0639\u0627\u064a\u064a\u0631 \u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u0625\u064a\u062f\u0627\u0639\u060c \u0648\u062a\u0642\u064a\u064a\u062f \u0623\u0646\u0648\u0627\u0639 \u0627\u0644\u0645\u0644\u0641\u0627\u062a.<\/p>\n \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062f\u0641\u0639 \u0627\u0644\u0645\u0648\u0635\u0649 \u0628\u0647\u0627:<\/strong><\/p>\n \u062a\u0647\u062f\u0631 \u0627\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u0629 \u0639\u0646 \u0627\u0644\u0633\u064a\u0637\u0631\u0629 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0648\u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647\u0627 \u0641\u064a \u0627\u0644\u062a\u0639\u062f\u064a\u0646 \u0627\u0644\u062e\u0641\u064a \u0644\u0644\u0639\u0645\u0644\u0627\u062a \u0627\u0644\u0631\u0642\u0645\u064a\u0629. \u0627\u0636\u0628\u0637 \u0645\u0647\u0644\u0627\u062a \u0632\u0645\u0646\u064a\u0629 \u0635\u0631\u064a\u062d\u0629 \u0648\u0639\u0644\u0651\u0645 \u0627\u0644\u0645\u0647\u0627\u0645 \u063a\u064a\u0631 \u0627\u0644\u062d\u0631\u062c\u0629 \u0639\u0644\u0649 \u0623\u0646\u0647\u0627 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0645\u0642\u0627\u0637\u0639\u0629 \u062d\u062a\u0649 \u064a\u062a\u0645 \u0625\u0644\u063a\u0627\u0624\u0647\u0627 \u0639\u0646\u062f \u0628\u062f\u0621 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u062c\u062f\u064a\u062f \u0639\u0644\u0649 \u0646\u0641\u0633 \u0627\u0644\u0641\u0631\u0639.<\/p>\n \u0625\u0631\u0634\u0627\u062f\u0627\u062a:<\/strong><\/p>\n1. \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629\u060c \u0627\u0644\u0645\u064f\u0642\u0646\u0651\u0639\u0629\u060c \u0648\u0627\u0644\u0645\u062e\u0641\u064a\u0629<\/h2>\n
\u0636\u0628\u0637 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0639\u0628\u0631 \u0648\u0627\u062c\u0647\u0629 \u0628\u0631\u0645\u062c\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a (API)<\/h3>\n
# Create a protected + masked variable via the GitLab API\ncurl --request POST \\\n --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/variables\" \\\n --form \"key=AWS_SECRET_ACCESS_KEY\" \\\n --form \"value=$MY_SECRET\" \\\n --form \"protected=true\" \\\n --form \"masked=true\" \\\n --form \"variable_type=env_var\"<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0641\u064a
.gitlab-ci.yml<\/code><\/h3>\nvariables:\n # Group or project-level variables are injected automatically.\n # File-type variables are written to a temp path.\n DEPLOY_TOKEN:\n description: \"Token for deploying to production\"\n value: \"\" # Intentionally blank \u2014 set in CI\/CD Settings\n\ndeploy_production:\n stage: deploy\n script:\n - echo \"Deploying with masked token...\"\n - .\/deploy.sh --token \"$DEPLOY_TOKEN\"\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n environment:\n name: production<\/code><\/pre>\n\n
.gitlab-ci.yml<\/code> \u0623\u0628\u062f\u064b\u0627 \u2014 \u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u064b\u0627 \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0645\u062a\u063a\u064a\u0631\u0627\u062a CI\/CD.<\/li>\nprotected=true<\/code> \u062d\u062a\u0649 \u062a\u0643\u0648\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u062a\u0627\u062d\u0629 \u0641\u0642\u0637 \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u0645\u062d\u0645\u064a\u0629.<\/li>\nmasked=true<\/code> \u062d\u062a\u0649 \u064a\u062a\u0645 \u0625\u062e\u0641\u0627\u0621 \u0627\u0644\u0642\u064a\u0645 \u0645\u0646 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0645\u0647\u0627\u0645.<\/li>\n2. \u0623\u0646\u0648\u0627\u0639 \u0627\u0644\u0645\u064f\u0646\u0641\u0651\u0630\u0627\u062a \u0648\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0646\u0637\u0627\u0642<\/h2>\n
\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u0645\u064f\u0646\u0641\u0651\u0630 \u0645\u0639 \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0648\u0627\u0644\u062d\u0645\u0627\u064a\u0629<\/h3>\n
# Register a runner scoped to protected branches only\ngitlab-runner register \\\n --non-interactive \\\n --url \"https:\/\/gitlab.example.com\" \\\n --token \"$RUNNER_REG_TOKEN\" \\\n --executor docker \\\n --docker-image alpine:latest \\\n --tag-list \"production,protected\" \\\n --access-level ref_protected<\/code><\/pre>\n\u062a\u062d\u062f\u064a\u062f \u0646\u0637\u0627\u0642 \u0627\u0644\u0645\u0647\u0627\u0645 \u0644\u0645\u064f\u0646\u0641\u0651\u0630\u0627\u062a \u0645\u062d\u062f\u062f\u0629<\/h3>\n
# .gitlab-ci.yml \u2014 ensure production jobs only run on protected runners\ndeploy_production:\n stage: deploy\n tags:\n - production\n - protected\n script:\n - kubectl apply -f k8s\/production\/\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n environment:\n name: production\n\n# Development jobs use a separate, unprivileged runner\ntest:\n stage: test\n tags:\n - shared\n - development\n script:\n - pytest tests\/<\/code><\/pre>\n\n
--access-level ref_protected<\/code> \u0644\u062a\u0642\u064a\u064a\u062f \u0627\u0644\u0645\u064f\u0646\u0641\u0651\u0630\u0627\u062a \u0628\u0627\u0644\u0641\u0631\u0648\u0639 \u0648\u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629.<\/li>\n3. \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0645\u0639 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a<\/h2>\n
\u062a\u0647\u064a\u0626\u0629 \u0627\u0644\u0628\u064a\u0626\u0629 \u0641\u064a
.gitlab-ci.yml<\/code><\/h3>\n# .gitlab-ci.yml \u2014 deployment with environment protection\ndeploy_staging:\n stage: deploy\n script:\n - .\/deploy.sh staging\n environment:\n name: staging\n url: https:\/\/staging.example.com\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n\ndeploy_production:\n stage: deploy\n script:\n - .\/deploy.sh production\n environment:\n name: production\n url: https:\/\/example.com\n deployment_tier: production\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n when: manual\n allow_failure: false<\/code><\/pre>\n\u0625\u0639\u062f\u0627\u062f \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0639\u0628\u0631 \u0648\u0627\u062c\u0647\u0629 \u0628\u0631\u0645\u062c\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a (API)<\/h3>\n
# Protect the production environment with required approvals\ncurl --request POST \\\n --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/protected_environments\" \\\n --data '{\"name\": \"production\", \"deploy_access_levels\": [{\"group_id\": 9899826}], \"required_approval_count\": 2, \"approval_rules\": [{\"group_id\": 9899826, \"required_approvals\": 2}]}'<\/code><\/pre>\n4. \u062a\u062d\u062f\u064a\u062f \u0646\u0637\u0627\u0642 CI_JOB_TOKEN<\/h2>\n
CI_JOB_TOKEN<\/code> \u0647\u0648 \u0631\u0645\u0632 \u0645\u0645\u064a\u0632 \u062a\u0644\u0642\u0627\u0626\u064a \u064a\u062d\u0642\u0646\u0647 GitLab \u0641\u064a \u0643\u0644 \u0645\u0647\u0645\u0629. \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627\u060c \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0645\u0634\u0627\u0631\u064a\u0639 \u0623\u062e\u0631\u0649 \u0641\u064a \u0645\u062c\u0645\u0648\u0639\u062a\u0643 \u2014 \u0648\u0647\u0630\u0627 \u062e\u0637\u0631 \u062c\u062f\u0651\u064a \u0644\u0644\u062a\u062d\u0631\u0651\u0643 \u0627\u0644\u062c\u0627\u0646\u0628\u064a. \u0645\u0646\u0630 GitLab 16.0\u060c \u064a\u062c\u0628 \u0639\u0644\u064a\u0643 \u062a\u0642\u064a\u064a\u062f \u0646\u0637\u0627\u0642\u0647.<\/p>\n\u062a\u0642\u064a\u064a\u062f \u0648\u0635\u0648\u0644 \u0627\u0644\u0631\u0645\u0632 \u0627\u0644\u0645\u0645\u064a\u0632<\/h3>\n
# Check current CI_JOB_TOKEN access scope\ncurl --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/job_token_scope\"\n\n# Limit CI_JOB_TOKEN to only access specific projects\ncurl --request PATCH \\\n --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/job_token_scope\" \\\n --data '{\"enabled\": true}'\n\n# Add an allowlisted project\ncurl --request POST \\\n --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/job_token_scope\/allowlist\" \\\n --data '{\"target_project_id\": 12345}'<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0627\u0645
CI_JOB_TOKEN<\/code> \u0628\u0623\u0645\u0627\u0646 \u0641\u064a \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/h3>\n# .gitlab-ci.yml \u2014 using CI_JOB_TOKEN for cross-project triggers\ntrigger_deploy:\n stage: deploy\n trigger:\n project: my-group\/deploy-project\n branch: main\n strategy: depend\n # CI_JOB_TOKEN is used automatically for the trigger.\n # The target project must allowlist this project's token.<\/code><\/pre>\n5. \u0631\u0645\u0648\u0632 OIDC
id_tokens<\/code> \u0644\u0640 AWS \u0648GCP<\/h2>\n\u0627\u062a\u062d\u0627\u062f OIDC \u0645\u0639 AWS<\/h3>\n
# .gitlab-ci.yml \u2014 OIDC authentication with AWS\ndeploy_aws:\n stage: deploy\n image: amazon\/aws-cli:latest\n id_tokens:\n GITLAB_OIDC_TOKEN:\n aud: https:\/\/gitlab.example.com\n variables:\n ROLE_ARN: arn:aws:iam::123456789012:role\/gitlab-ci-deploy\n script:\n - >\n export $(printf \"AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s\"\n $(aws sts assume-role-with-web-identity\n --role-arn $ROLE_ARN\n --role-session-name \"GitLabCI-${CI_PROJECT_ID}-${CI_PIPELINE_ID}\"\n --web-identity-token \"$GITLAB_OIDC_TOKEN\"\n --duration-seconds 3600\n --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'\n --output text))\n - aws s3 sync .\/build s3:\/\/my-production-bucket\/\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n environment:\n name: production<\/code><\/pre>\n\u0627\u062a\u062d\u0627\u062f \u0647\u0648\u064a\u0629 \u0623\u062d\u0645\u0627\u0644 \u0627\u0644\u0639\u0645\u0644 \u0645\u0639 GCP<\/h3>\n
# .gitlab-ci.yml \u2014 OIDC authentication with GCP\ndeploy_gcp:\n stage: deploy\n image: google\/cloud-sdk:latest\n id_tokens:\n GITLAB_OIDC_TOKEN:\n aud: https:\/\/gitlab.example.com\n script:\n - echo \"$GITLAB_OIDC_TOKEN\" > \/tmp\/gitlab_token.txt\n - >\n gcloud iam workload-identity-pools create-cred-config\n projects\/$GCP_PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/$POOL_ID\/providers\/$PROVIDER_ID\n --service-account=\"$GCP_SERVICE_ACCOUNT\"\n --output-file=\/tmp\/gcp_creds.json\n --credential-source-file=\/tmp\/gitlab_token.txt\n - export GOOGLE_APPLICATION_CREDENTIALS=\/tmp\/gcp_creds.json\n - gcloud config set project $GCP_PROJECT_ID\n - gcloud run deploy my-service --image gcr.io\/$GCP_PROJECT_ID\/my-app:$CI_COMMIT_SHA\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n environment:\n name: production<\/code><\/pre>\nproject_path<\/code> \u0648ref<\/code> \u0648ref_protected<\/code> \u0628\u062d\u064a\u062b \u064a\u0645\u0643\u0646 \u0641\u0642\u0637 \u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0648\u0641\u0631\u0648\u0639 \u0645\u062d\u062f\u062f\u0629 \u062a\u0648\u0644\u0651\u064a \u0627\u0644\u062f\u0648\u0631.<\/p>\n6. \u0623\u0645\u0627\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u062f\u0645\u062c<\/h2>\n
# .gitlab-ci.yml \u2014 separate rules for MR vs. branch pipelines\ntest:\n stage: test\n script:\n - pytest tests\/\n rules:\n - if: $CI_PIPELINE_SOURCE == \"merge_request_event\"\n - if: $CI_COMMIT_BRANCH == \"main\"\n\ndeploy_production:\n stage: deploy\n script:\n - .\/deploy.sh production\n rules:\n # NEVER run on merge request pipelines\n - if: $CI_PIPELINE_SOURCE == \"merge_request_event\"\n when: never\n - if: $CI_COMMIT_BRANCH == \"main\"\n environment:\n name: production<\/code><\/pre>\n\n
rules:<\/code> \u0644\u0636\u0645\u0627\u0646 \u0639\u062f\u0645 \u062a\u0634\u063a\u064a\u0644 \u0645\u0647\u0627\u0645 \u0627\u0644\u0646\u0634\u0631 \u0623\u0628\u062f\u064b\u0627<\/strong> \u0639\u0644\u0649 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 merge_request_event<\/code>.<\/li>\n7. \u0642\u0627\u0644\u0628 \u0643\u0634\u0641 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h2>\n
# .gitlab-ci.yml \u2014 include the secret detection template\ninclude:\n - template: Jobs\/Secret-Detection.gitlab-ci.yml\n\n# Override to make the pipeline fail if secrets are found\nsecret_detection:\n variables:\n SECRET_DETECTION_HISTORIC_SCAN: \"true\" # Scan full git history\n rules:\n - if: $CI_PIPELINE_SOURCE == \"merge_request_event\"\n - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH\n allow_failure: false # Block the pipeline on detection<\/code><\/pre>\ninclude:\n - template: Jobs\/Secret-Detection.gitlab-ci.yml\n - template: Jobs\/SAST.gitlab-ci.yml\n - template: Jobs\/Dependency-Scanning.gitlab-ci.yml<\/code><\/pre>\n8. \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062f\u0641\u0639 (Push Rules)<\/h2>\n
# Set push rules via the API\ncurl --request PUT \\\n --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.example.com\/api\/v4\/projects\/$PROJECT_ID\/push_rule\" \\\n --data '{\"deny_delete_tag\": true, \"prevent_secrets\": true, \"commit_message_regex\": \"^(feat|fix|chore|docs|refactor|test|ci)\\\\(.*\\\\):.*\", \"max_file_size\": 50, \"member_check\": true, \"reject_unsigned_commits\": true}'<\/code><\/pre>\n\n
prevent_secrets: true<\/code> \u2014 \u064a\u0631\u0641\u0636 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u062f\u0641\u0639 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u0644\u0641\u0627\u062a \u062a\u0628\u062f\u0648 \u0643\u0623\u0633\u0631\u0627\u0631 (\u0645\u0641\u0627\u062a\u064a\u062d\u060c \u0631\u0645\u0648\u0632 \u0645\u0645\u064a\u0632\u0629\u060c \u0634\u0647\u0627\u062f\u0627\u062a).<\/li>\nreject_unsigned_commits: true<\/code> \u2014 \u064a\u062a\u0637\u0644\u0628 \u0625\u064a\u062f\u0627\u0639\u0627\u062a \u0645\u0648\u0642\u0651\u0639\u0629 \u0628\u0640 GPG (GitLab Premium \u0648\u0623\u0639\u0644\u0649).<\/li>\ncommit_message_regex<\/code> \u2014 \u064a\u0641\u0631\u0636 \u0631\u0633\u0627\u0626\u0644 \u0625\u064a\u062f\u0627\u0639 \u062a\u0642\u0644\u064a\u062f\u064a\u0629 \u0644\u0645\u0633\u0627\u0631\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0646\u0638\u064a\u0641\u0629.<\/li>\nmax_file_size<\/code> \u2014 \u064a\u0645\u0646\u0639 \u0625\u0631\u0633\u0627\u0644 \u0645\u0644\u0641\u0627\u062a \u062b\u0646\u0627\u0626\u064a\u0629 \u0643\u0628\u064a\u0631\u0629 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0627\u0644\u062e\u0637\u0623.<\/li>\nmember_check: true<\/code> \u2014 \u064a\u0631\u0641\u0636 \u0627\u0644\u0625\u064a\u062f\u0627\u0639\u0627\u062a \u0645\u0646 \u063a\u064a\u0631 \u0623\u0639\u0636\u0627\u0621 \u0627\u0644\u0645\u0634\u0631\u0648\u0639.<\/li>\n<\/ul>\n9. \u0645\u0647\u0644\u0629 \u0627\u0644\u0645\u0647\u0627\u0645 \u0648
interruptible<\/code><\/h2>\n# .gitlab-ci.yml \u2014 timeouts and interruptible\ndefault:\n timeout: 30m # Global default timeout for all jobs\n interruptible: true # Cancel running jobs when a new commit is pushed\n retry:\n max: 1\n when:\n - runner_system_failure\n - stuck_or_timeout_failure\n\ntest:\n stage: test\n timeout: 15m\n interruptible: true\n script:\n - pytest tests\/ --timeout=600\n\ndeploy_production:\n stage: deploy\n timeout: 20m\n interruptible: false # NEVER cancel a running production deployment\n script:\n - .\/deploy.sh production\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n when: manual\n environment:\n name: production<\/code><\/pre>\n\n
interruptible: true<\/code> \u0644\u062a\u0648\u0641\u064a\u0631 \u0633\u0639\u0629 \u0627\u0644\u0645\u064f\u0646\u0641\u0651\u0630\u0627\u062a.<\/li>\ninterruptible: false<\/code> \u0644\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062c\u0632\u0626\u064a\u0629.<\/li>\nretry<\/code> \u0644\u0623\u0639\u0637\u0627\u0644 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0641\u0642\u0637 \u2014 \u0644\u064a\u0633 \u0623\u0628\u062f\u064b\u0627 \u0644\u0641\u0634\u0644 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a.<\/li>\n<\/ul>\n\u062c\u062f\u0648\u0644 \u0645\u0631\u062c\u0639\u064a \u0633\u0631\u064a\u0639<\/h2>\n