service accounts and push-type models?

How do we allow the sync to have access to private projects on gitlab? I assume there's a service account associated that we can add as a reporter to give read-access to the project's gitlab registry.

Additionally, is there a way to force a sync whenever a new image is pushed to the gitlab registry?