Update: As of 2021-05-24, GitLab will require trial users created on or after 2021-05-17 to provide a valid credit or debit card number in order to use CI jobs hosted at GitLab. Prospects that are unable or unwilling to provide a card can reach out to sales for assistance

Recently, there has been a massive uptick in abuse of free pipeline minutes available on GitLab.com and on other CI/CD providers to mine cryptocurrencies. In addition to the cost increases, the abuse creates intermittent performance issues for GitLab.com users and requires our teams to work 24/7 to maintain optimal services for our customers and users. To discourage and reduce abuse, starting May 17, 2021, GitLab will require new free users to provide a valid credit or debit card number in order to use shared runners on GitLab.com. A user will be able to run pipelines without providing a credit or debit card if they use their own runner and disable shared runners. Although imperfect, we believe this solution will reduce the abuse.

We plan to rollout this change gradually and increase the scope if needed as follows:

This change does not currently impact any of the following users:

When you provide the card, it will not be charged but instead will be verified with a one-dollar authorization transaction. No charge will be made and no money will transfer.

A credit or debit card is one (of many) controls we have put in place to reduce abuse of our platform. We will never fully solve platform abuse, but the more barriers we put up, the more difficult and expensive it becomes to engage in abuse.

The GitLab team members have already activated and shipped many improvements. These were helpful in deterring abuse, although are not sufficient. A sampling of the fixes we have delivered to mitigate pipeline abuse include:

  1. Fail creation of jobs when pipeline minutes quota is exceeded.
  2. Fail pipelines after user exceeds pipeline minutes quota.
  3. Adding restrictions to the creation of namespaces via the API.
  4. Enabling the termination of pipelines when blocking a user.
  5. Ensuring pipelines do not run when pipelines are owned by a blocked user.
  6. Closing gaps in jobs running by user accounts deleted by users.
  7. Utilizing and enhancing the External Pipeline Validation Service specifically around authentication, payload, and access restriction.
  8. Ensuring scheduled pipelines don't run by blocked users.

We expect to make enhancements to harden our pipeline system against abuse. We believe using pipeline minute quotas as the foundation for free minute usage will be the best mechanism for failing jobs and pipelines to stop abuse. Including this effort, our other pipeline abuse improvements are below:

  1. Include public projects in pipeline minutes quota for free users.
  2. Expand application limits for preventing abuse of webhooks.

A user impacted by this change has the following options:

Validating an account

Continue the conversation

Please share your questions and feedback with us on the community forum.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg