So, we’ve been trying out Drone (v0.8.9) for the past few months, and are at a point where we need to figure out how to lock down
.drone.yaml changes to only specific users. I know that the Drone CLI has some ability to sign pipelines, but we need to make sure that not just anyone can generate a signature.
Ideally, we want anyone in our organization to be able to view Drone build results, but only a select few to be able to generate signatures. Is this possible?
Also, FWIW, the combination of a “protected” Drone repo and a signed pipeline wasn’t working for me in 1.0.0-rc.1—the build would remain “pending” until I manually approved it through the CLI. Is this still the case? Has this been fixed? We’re still waiting on the 1.0 source code before we can actually deploy it, but yeah.