The non-traversable GL_BuildsOn edge is a computed enrichment edge indicating that pipelines on a given branch may execute on a specific runner. It is created based on two conditions:
- The project containing the branch has a GL_CanUseRunner edge to the runner (the runner is available to the project).
- The runner's
access_levelis compatible with the branch's protection status:not_protectedrunners execute jobs from any branch;ref_protectedrunners only execute jobs triggered from protected branches.
GL_BuildsOn is the primary structural edge for the "push to branch → run code on runner" attack path. An attacker who can push to a branch (via GL_CanPush) or merge into it (via GL_CanMerge) can trigger a pipeline that executes on all runners reachable via this edge.
graph LR
user("fa:fa-user GL_User alice")
devRole("fa:fa-user-tie GL_ProjectRole myproject/Developer")
branch("fa:fa-code-branch GL_Branch develop")
runner("fa:fa-gears GL_Runner shared-runner-01")
manager("fa:fa-server GL_RunnerManager linux-host")
user -->|GL_HasRole| devRole
devRole -->|GL_CanPush| branch
branch -.->|GL_BuildsOn| runner
runner -.->|GL_ManagedBy| manager