I created Personal Access Token in gitlab.com to read the gitlab api because I want to create some documentation about my repos in asciidoc automatically. Basically this works in a local script.
Now I want to turn this into a Giutlab CI pipeline. As of now the token is part of my local script. But I don't want this token to be readable in a public repo. Is there a way to get the token from the pipeline in a secure way without putting it into the .gitlab-ci.yml in plain text or any other reusable form?
Yes, in your gitlab project Settings > CI / CD > Variables
There you can add Key value pairs which can be "masked" so aren't visible in scripts.
But you should be aware this isn't fully "secure" take a look at this
Related
I'm using GitLab Enterprise Edition 14.6.5-ee
I want to create a Git tag automatically when I merge a branch back to master. I'm fine with the actual Git commands; the problem is with the authentication: the build bot doesn't know how to authenticate back to the server. There's an answer here how to set up SSH keys. But this requires me to use my personal credentials, which is just wrong, because it's not me creating the tag; it's the build bot.
Seriously, it just doesn't make sense to say that the bot doesn't know how to authenticate. I mean, it just pulled the freakin' code from the repo! So why is it such a big leap from being able to pull code to being able to push code?
Any ideas how to automate the creation of tags without using my personal credentials?
CI jobs do have a builtin credential token for accessing the repository: the $CI_JOB_TOKEN variable. However this token only has read permissions, so it won't be able to create tags. To write to the repository or API, you'll have to supply a token or SSH key to the job. However, this doesn't necessarily have to be your personal token.
There are a few ways you can authenticate to write to the project without using a personal credential:
You can use project access tokens
You can use group access tokens -- these are only exposed in the UI after GitLab 14.7
You can use deploy SSH keys (when you grant read-write to the key)
So why is it such a big leap from being able to pull code to being able to push code?
This is probably a good thing. While it may require you to do extra work in this case, the builtin job authorization tries to apply the principle of least privilege. Many customers have even argued that the existing CI_JOB_TOKEN permissions are too permissive because they allow access to read other projects!
In any case, it is on GitLab's roadmap to make these permissions more controllable and flexible :-)
Alternatively, use releases
If you don't mind creating a release in addition to a tag, you could also use the release: keyword in the CI yaml as an easy way to create the tag.
It's somewhat of an irony that the releases API allows you to use the builtin CI_JOB_TOKEN to create releases (and presumably tags) but you cannot (as far as I know) use CI_JOB_TOKEN on the tags API to create a tag.
However, in this case, it will still have the effect that the releases/tag appear to be created by you.
I a gitlab repository that I would like to set up a gitlab runner for. In the documentation it states that I need to register the runner using the "registration token" from the gitlab website in the repository settings.
However, after issuing the "gitlab-runner start" command, I still need to create a config.toml file with the url and a "runner token" in order to be able to run the gitlab-runner run command, which I need to run a number of commands upon a push on a specified branch.
I am not sure where to find this "runner token". In the documentation it only states that the runner token is different from the registration token, but not where to obtain it.
I would highly appreciate any kind of help or suggestions.
The config.toml was not being created in the proper folder, see here
What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -
include 'https://gitlab-ci-token:${CI_JOB_TOKEN}#raw-file-url'
I have tried to curl in this format in a dummy script job, but it fails to fetch the file.
Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.
Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:
Authenticate with the GitLab Container (Docker) Registry
Authenticate to trigger a multi-project pipeline (EE only)
References:
https://docs.gitlab.com/ce/ci/variables/
https://docs.gitlab.com/ee/ci/variables/
So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.
Unfortunately, deploy keys don't help either -- they are only for SSH.
The only workable solution I've come up with is to use a separate user:
Create a new user with Reporter role.
Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
Use $BUILD_USER_TOKEN in your CI script to access the API or project files.
This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.
Still there is no support for the CI_JOB_TOKEN to have a useful API access. But they are working on it https://gitlab.com/groups/gitlab-org/-/epics/3559
I am writing a php application that will need to commit and check status of files on a gitlab repository.
my application asks the user to create the personal Access Token on gitlab
All good so far.
I am using curl to run git commands and I am able to get the list of projects and branches on my project, but what I could not find is how to 'clone a repo' and check status on https://docs.gitlab.com/ee/api/README.html.
How do I check out/get status using personal access tokens?
I am asking the question here, because documentation didn't help me.
During runner's setup, 2 things are being asked: url of gitlab CI coordinator and registration token. I don't get what any of them should be.
As for url, it could be either url of gitlab CI web interface (ex: http://localhost:80/) ot url related to build, which is described in build's advanced properties.
Registration token could be something from documentation - but the link to it is dead (see: http://gitlab-ci-domain.com/admin/runners) or registration token from build's advanced properties.
However, when i try to supply to runner's setup url and registration token from build properties, i get access error which informs me that registration failed. Due to lack of understanding what those parameters should be, i cannot determine what is wrong.
the Url is your Gitci Url.
the token you mention its in your gitlabci under "runners" next to the line:
"To register new runner you should the following registration token. With this token the runner will request a unique runner token and use that for future communication"
If you can access the settings for a project, then you can find the information in Project Settings > Runners. There should be a box under Specific Runners that has the URL and token.
EDIT: As of GitLab 9.0, this info can be found under Settings > CI//CD Pipelines (per Josh Noe)
EDIT: New location as of GitLab 9.3 (maybe earlier): Settings > Pipelines
EDIT: New location as of GitLab 10: Settings > CI / CD > Runners Settings
As of GitLab Enterprise Edition 12.0.0-pre 8104b83f087
The token can be found by:
Go to your gitlab project
Click on Settings
Click on CI/CD
Click on "Expand" on the Runners section
The token is under "Set up a specific Runner manually"
Apparently the only way to do that is to be admin of Gitlab your CI server deals with yourself.
I find that unreasonable, but what could be done?..