Introduction

By default, GitLab does not run CI/CD pipelines for merge requests from forks to prevent malicious code from accessing protected variables and secrets. This security feature means that external contributors submitting merge requests from forks will not see pipeline results, making it difficult to verify their changes pass tests before review.

Symptoms

  • Merge request from a fork shows Pipeline: not created or pending approval
  • External contributor's MR has no test results or build status
  • Maintainer receives notification that fork pipeline requires approval
  • CI/CD variables marked as protected are not available in fork pipelines
  • Error message: Pipeline blocked - this pipeline is for a fork and requires approval

Common Causes

  • Default GitLab security setting blocking fork pipelines
  • Pipeline requires protected CI/CD variables that are not exposed to fork MRs
  • Fork project does not have CI/CD configured
  • Merge request from external user (not a project member)
  • Pipeline approval workflow requiring maintainer authorization

Step-by-Step Fix

  1. 1.Check the pipeline approval status: See if the pipeline is waiting for approval.
  2. 2.`
  3. 3.# GitLab UI: Merge Request > CI/CD tab
  4. 4.# Look for "Pipeline blocked" or "Requires approval"
  5. 5.# Maintainers can click "Run pipeline" to approve
  6. 6.`
  7. 7.Approve the fork pipeline as a maintainer: Authorize the pipeline to run.
  8. 8.`
  9. 9.# GitLab UI: Merge Request > CI/CD > Run pipeline
  10. 10.# Or enable auto-approval for trusted contributors
  11. 11.`
  12. 12.Configure pipeline to run for fork MRs with limited permissions: Adjust security settings.
  13. 13.`
  14. 14.# GitLab UI: Settings > CI/CD > Merge request pipelines
  15. 15.# Set "Merge request pipelines for forks" to "Enabled"
  16. 16.# This runs pipelines without protected variables
  17. 17.`
  18. 18.Use non-protected variables for fork-compatible pipeline stages: Make pipelines work without secrets.
  19. 19.```yaml
  20. 20.# .gitlab-ci.yml
  21. 21.test:
  22. 22.stage: test
  23. 23.script:
  24. 24.- npm test # Does not require protected variables
  25. 25.# Runs on fork MRs automatically

deploy: stage: deploy script: - deploy.sh environment: production # Uses protected variables, won't run on forks rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_PROJECT_PATH == $CI_PROJECT_PATH' ```

  1. 1.Verify the pipeline runs successfully after approval: Check results.
  2. 2.`
  3. 3.# GitLab UI: Merge Request > CI/CD tab
  4. 4.# Verify all jobs pass
  5. 5.# Check that tests ran against the fork's code
  6. 6.`

Prevention

  • Enable merge request pipelines for forks in project settings for open-source projects
  • Use branch-level CI/CD variable protection to expose non-sensitive variables to forks
  • Document the fork pipeline approval process in the contributing guide
  • Implement pipeline stages that do not require protected variables for fork testing
  • Set up auto-approval for pipelines from trusted fork repositories
  • Monitor fork pipeline approval requests and respond promptly to contributors