We are using Git for a website project where the develop branch will be the source of the test server, and the master branch will serve as the source for the live, production site. The reason being to keep the git-related steps (switching branches, pushing and pulling) to a minimum for the intended user population. It should be possible for these (not extremely technical) users to run a script that will merge develop into master, after being alerted that this would be pushed to live. master cannot be modified by normal users, only one special user can do the merge.
This is where I'm not sure how to integrate this identity change into my code below:
https://gist.github.com/jfix/9fb7d9e2510d112e83ee49af0fb9e27f
I'm using the simple-git npm library. But more generally, I'm not sure whether what I want to do is actually possible as I can't seem to find information about this anywhere.
My intention would be of course to use a Github personal token instead of a password.
Git itself doesn't do anything about user or permission management. So, the short answer is, don't try to do anything sneaky. Rather, use Github's user accounts they way they were intended.
What I suggest is to give this special user their own Github account, with their own copy of the repo. Let's say the main repo is at https://github.com/yourteam/repo, and the special repo is at https://github.com/special/repo.
The script will pull changes from the team repo's develop branch, and merge this into it's own master branch and push to https://github.com/special/repo.
Then, it will push its changes to the team's master branch. This step can optionally be a forced push, since no one else is supposed to mess with master, anyway. (In case someone does, using a forced push here means they have to fix their local repo to match the team repo later on, rather than having the script fail until someone fixes the team repo.)
At the same time, your CI software will notice that master has changed at https://github.com/special/repo, and will publish as you normally would. This is the linchpin: the CI doesn't pay attention to the team repo, so although your team has permission to change it, those changes don't make it into production.
This special user will need commit access to the team repo, in addition to its own GitHub repo. The easiest way is probably to use an SSH key, and run the git push command from the script, rather than trying to use the GitHub API.
Related
I currently work on solutions / projects within a single GIT repository, in Visual Studio. The commits I make are to a local folder on the Visual Studio server, and then I use the command 'git push origin master' (after having changed directory to my local folder / repository) to push commits to a Gitlab in my company's corporate space. The purpose of this is less about using branches and software development (as I am the only person who does any work on this), and more about having a way to rollback changes and keep a master copy off the server.
I now want a fresh copy of this GIT repository, so I can use that as a new baseline for an application migration. I will still continue to work on the existing repository too.
What is the best way to make a copy of the existing repository, that I can treat as a totally separate thing, without accidently messing up my existing config on the server? Should I do the clone from the Gitlab? Or clone locally and then push that up to the new space in my Gitlab? Honestly, I'm a bit confused at this point about the proper model for this stuff.
....................
Sounds like you'd like to fork the project: keep the existing repo and start a new, separate repo based on the old one.
Browse to your project in Gitlab
On the main repo screen, click "fork" in the top right
Select a new/ the same organisation as you'd like
The project is now forked!
From here, you can clone the fork to your local machine in a new folder. These are now separate projects, and code updates can be added, committed and pushed to the separate repos.
I’m trying to set up GitLab CI/CD for an old client-side project that makes use of Grunt (https://github.com/yeoman/generator-angular).
Up to now the deployment worked like this:
run ’$ grunt build’ locally which built the project and created files in a ‘dist’ folder in the root of the project
commit changes
changes pulled onto production server
After creating the .gitlab-ci.yml and making a commit, the GitLab CI/CD job passes but the files in the ‘dist’ folder in the repository are not updated. If I define an artifact, I will get the changed files in the download. However I would prefer the files in ‘dist’ folder in the to be updated so we can carry on with the same workflow which suits us. Is this achievable?
I don't think commiting into your repo inside a pipeline is a good idea. Version control wouldn't be as clear, some people have automatic pipeline trigger when their repo is pushed, that'd trigger a loop of pipelines.
Instead, you might reorganize your environment to use Docker, there are numerous reasons for using Docker in a professional and development environments. To name just a few: that'd enable you to save the freshly built project into a registry and reuse it whenever needed right with the version you require and with the desired /dist inside. So that you can easily run it in multiple places, scale it, manage it etc.
If you changed to Docker you wouldn't actually have to do a thing in order to have the dist persistent, just push the image to the registry after the build is done.
But to actually answer your question:
There is a feature request hanging for a very long time for the same problem you asked about: here. Currently there is no safe and professional way to do it as GitLab members state. Although you can push back changes as one of the GitLab members suggested (Kamil Trzciński):
git push http://gitlab.com/group/project.git HEAD:my-branch
Just put it in your script section inside gitlab-ci file.
There are more hack'y methods presented there, but be sure to acknowledge risks that come with them (pipelines are more error prone and if configured in a wrong way, they might for example publish some confidential information and trigger an infinite pipelines loop to name a few).
I hope you found this useful.
Our team members are not all familiar with git, some members may take a mistake to force push the local branch on to server especially if they are using Windows GUI tools.
I'm wondering if there is any way to control the force push permission for different roles. I googled, but found no answer. I'm using latest Gitlab.
Not yet (should be in GitLab 6.8+): there is a pull request in progress: "pull 6190", which stemmed from this suggestion.
GitLab already has protected branches that prevent push for all except masters. However, there's still the problem of accidental history rewrites and force pushes by masters that can wipe out the whole repository (has happened in real life).
Therefore it is useful to additionally have protection against branch deletion and history rewriting.
The code changes are visible here and are based on a pull request on gitlab-shell, with a definition in lib/gitlab_update.rb:
def forced_push?
missed_refs = IO.popen(%W(git rev-list #{#newrev}..#{#oldrev} --)).read
missed_refs.split("\n").size > 0
end
Are gitlab deployment keys read only?
I need to clone on ci server using a deployment key and then push the tag created by the ci process.
is that possible using a deployment key?
Edit2: This change currently has a sideeffect, as there are no users on deployment keys. So you will find some ugly messages like ERROR -> POST-RECEIVE: Triggered hook for non-existing user. The cache-invalidation (and possibly other things) are therefor not handled on write pushes through deployment-keys, which is a bit ugly. bundle exec rake cache:clear RAILS_ENV=production is your friend until I can find a way to fix that (see link to GitHub below) - and please remember, that clearing the Redis-cache logs out all users, too.
Here is a short workaround to archive following on a per-key basis:
Make My SSH keys readonly. This allows to add machines with readonly access to all repos of an account. Good if you work with trainloads of git subprojects.
Make Deploy-Keys read-write on developer level.
Make Deploy-Keys read-write on master level.
This is archived by prepending the key's title with some special characters:
* to make a My SSH keys readonly
! to make Deploy-Keys read-write
!! to make Deploy-Keys master (write to protected branches)
So instead naming the key "My global key" you name it "* my global readonly key" etc.
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index ed6b50c..ce350b1 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
## -30,7 +30,11 ## module API
if key.is_a? DeployKey
- key.projects.include?(project) && DOWNLOAD_COMMANDS.include?(git_cmd)
+return false unless key.projects.include?(project)
+return true if DOWNLOAD_COMMANDS.include?(git_cmd)
+return true if key.title.start_with? '!!'
+return false if project.protected_branch?(params[:ref])
+key.title.start_with? '!'
else
user = key.user
## -42,6 +46,7 ## module API
then :download_code
when *PUSH_COMMANDS
then
+return false if key.title.start_with? '*' # VAHI 2014-02-09
if project.protected_branch?(params[:ref])
:push_code_to_protected_branches
else
Edit1: This patch now is available as cherry-pick on GitHub, see https://github.com/hilbix/gitlabhq/wiki
Edit3: You probably want following workaround, too, in case you push through a deployment key. This is not perfect, as it does not trigger all those hooks, but it invalidates the caches such that the web pages no more show stale data:
diff --git a/app/workers/post_receive.rb b/app/workers/post_receive.rb
index 6416aa6..2fe98d4 100644
--- a/app/workers/post_receive.rb
+++ b/app/workers/post_receive.rb
## -26,6 +26,8 ## class PostReceive
unless user
log("Triggered hook for non-existing user \"#{identifier} \"")
+ project.ensure_satellite_exists
+ project.repository.expire_cache
return false
end
There still is are some problems left:
A minor one, you cannot use the same key on the account level and on the deploy level at the same time. So for keys which only have read-only access on a global basis (which probably is the default key used), you need a second special "push only" key, which allows push access to the repos.
Edit3: And the major one that deployment keys do not have a user attached, so that all the convenience things do not work. If this is a problem for you the only way is, for each SSH key create a dummy-user, and add it to the group/project and give this dummy-users the correct permissions.
Complete example under Linux for a test repo at git#gitlab.example.com:root/test.git
Apply above patch to GitLab
Restart GitLab to read in the new code
Add your ~/.ssh/id_rsa.pub to GitLab Admin under My SSH keys and name it * my readonly key (or something different, starting with *).
Verify, that following works: git clone git#gitlab.example.com:root/test.git
Verify, that following fails on the git push step:
cd test
date > DATE.tmp
git add DATE.tmp
git commit -m testing
git push
Create a second SSH key ~/.ssh/id_push: ssh-keygen -b 4096 -f ~/.ssh/id_push
Add ~/.ssh/id_push.pub as Deploy-Key to repo root/test.git. Name it ! my push key (or something different, starting with !)
Add following to ~/.ssh/config
Host gitlab-push
Hostname gitlab.example.com
User git
IdentityFile ~/.ssh/id_push
Add this target to your cloned repo:
git remote add to gitlab-push:root/test.git
Verify following works: git push to master
Notes:
I used copy+paste to insert the patch. It is likely it will not apply cleanly. Sorry.
Yes, this is really a very crude hack which should not make it into the mainline. The correct implementation would be to have a flag in the database which does this, such that you can edit it through the GUI.
For deploy keys this "key-level"-flag should be in the interesection table between key and project. And in the non-deploy-key variant it should be on the key itself. Perhaps this field can then act as a default value when adding a deploy key to another project and record the last usage of such key.
Unfortunately I am not able to implement this properly myself as I lack the knowledge how to add the necessary elements to the GUI, sorry. ;(
Update 2017
GitLab 8.16 (January 2017) does introduce deploy keys with write-access!
Merge Request 5807
Now with ability to add write-access on deploy key, we can build packages like releases, makes the tag (through CI) and prepare the next release, and of course push both of them commits to git repository
Update Feb. 2021 and GitLab 13.9
Allow Deploy Keys to push to protected branches
Prior to GitLab 12.0, Deploy Keys with write access could push commits to protected branches.
Support for this was removed due to security concerns, but many users still requested it, as they were using it to ensure that only users with Deploy Keys could push to their repositories.
It also eliminates the need to use a service user or machine user, which ties up a license for any team that wants to allow Deploy Keys to push to protected branches just for this use case.
We are excited to announce that we resolved this issue and now Deploy Keys can push to protected branches once more while abiding by security best practices. By moving towards an isolated permission model for Deploy Keys, users can now select Deploy Keys to link to protected branches directly from the settings page on protected branches.
See Documentation and Issue.
Original answer 2013:
Last time I checked (in "Push to GitLab repository within CI server (deploy keys)", no, you don't have the right to use a deploy key to push to a repo.
I think giving deploy keys push access is misguided. It solves the problem on the wrong end.
When you have to hot patch production systems (while running?) and push changes back you are probably doing it wrong.
Changes should always flow from the development to the production system (this should be automated!).
Make your dev env as similar to your production env as possible (use VMs or dedicated dev/staging servers) and write tests (really do!).
Litmus adds in the comments, and I agree with him:
not just in GitLab, even on Bitbucket, Github etc.: deploy keys are readonly.
Given that deploy keys are used to deploy on production, it should be a oneway flow. Code should go from DVCS to production but never the other way.
Also production servers should have as less privilege as possible... that is a security best practice.
CI runs in test environment.
Never use same keys for production and test. That will be a disaster
Curt J. Sampson mentions in the comments:
There are other uses for deploy keys that don't relate to deployment.
For example, if you need to mirror a repo from elsewhere into your own GitLab, you likely want your mirror script to push to your GitLab using a deploy key rather than someone's personal key.
Note, from GitLab 13.5 (October 2020):
Configuration option to allow Deploy Keys to push to protected branches
In release 12.0, we updated Deploy Keys so that keys with write access could no longer push commits to protected branches. As a workaround for this limitation, some users removed access restrictions to the master branch, leaving it unprotected and allowing all developers to push to master.
This increases security risks, so in order to provide a better option we have decided to re-enable the previous behavior through a configuration setting.
See Documentation and Issue.
Not just in GitLab, even on Bitbucket, Github etc. deploy keys are readonly.
Given that deploy keys are used to deploy on production, it should be a oneway flow. Code should flow from DVCS to production but never the other way.
Also production servers should have as less privilege as possible... that is a security best practice.
And most often there is a need to share deploy keys with non-developers, or automation tools. Making them readonly (at least) ensures that an unauthorized person does not screw up with the code base (of course git lets you recover almost everything, but isn't prevention better than cure?)
CI runs in test environment. Never use same keys for production and test. That will be a disaster.
We are working on a project in a 3 people team. We don't have yet a separate machine to set up a Git central server so we have to get along without it. We will have the machine in a few days so I treat the curent workflow more like an experiment. So now we do like this:
1) every member is creating a git repository on his computer simply like this:
git init
2) every member makes his repository readable by others like this:
in .git directory:
touch git-daemon-export-ok
And then:
git daemon &
3) every member sends address of his repository to other members and every member imports it like this:
git remote add aa git://xxx.xxx.xxx.xxx/home/username/code
Now when the initial setup is done our workflow looks like this:
We checkout to the dev branch on our local repository to do the work. When we're done, we pull other members' master branches into our repository:
git pull --rebase aa master
git pull --rebase ab master
...
Finally we squash commits from our dev branch if necessary and merge them with our local master. From now on other members will be able to download these commits form our computer into their masters.
What do you think about it?
#
I should add that this is happening in the company and we are not allowed to use Github or something like this here. Our software is going to be open source but we have to follow strict security policy.
I believe if the team is self disciplined there shouldn't be any problem, but definitely treat this a a temporary solution, because if the team increase will be much harder to avoid problems. Btw maybe think about github private repository. They work like a charm.
Seems rather a convoluted solution to me. So why not just use a hosted service temporarily, and move to your own Git server when it arrives?
Obviously, GitHub is the 800-pound gorilla in the room here, but I personally use BitBucket in a professional capacity because unlike GitHub, it offers free private repositories (but limited to five users).