I have a project with a Node dependency on a private Git repository. I need to be able to run npm install without being prompted to enter a password or allow an SSH connection, so I'm using an access token that I created on GitHub in my package.json:
"dependencies": {
"sass-theme": "git+https://[token]:x-oauth-basic#github.com/MyOrg/sass-theme.git#v1.0.2",
"node-sass": "^4.5.0"
}
This project is shared with dozens of other people, so obviously I don't want to keep my token in source control. I know I can create a read-only deployment key on GitHub, but I believe that would require other developers to import the SSH key to build the project locally.
Is it possible to create an access token that can be shared but that has read-only access to clone the repository?
The most straightforward way I can think of to create a token that provides read-only access to a private repo is to:
Have a user who has read-only access to the given private repo
(and ideally, not much else)
As that user create a Personal Access Token with the "repo" scope
It would be best if they didn't have access to other orgs/repos, since the "repo" scope grants the user total control over any repos that user has write access to.
I know in an Enterprise solution we would do that with a System ID, but on GitHub you can instead create a Machine User.
Deploy keys are the way to go. By default they don't allow write access and they are scoped to the specific repository (unlike the GitHub personal access token). So you can now generate a private/public key pair, set one as read/pull only deploy key on a single repository in GitHub and use the private key in your CI.
For instance run a bash script:
eval "$(ssh-agent -s)";
ssh-add <your private deploy key>;
Now your CI has rights to access private repo's during the build.
You can add a Deploy key by going to your repository on Github and then clicking Settings > Deploy keys > Add deploy key
If you think it's a bad idea to put your credentials in your source code (as you should!) then you have few options:
Keep it hosted in a private GitHub repo but add those dozens of other people as collaborators to this repo (with read only access).
Keep it hosted in a private GitHub repo but owned as an organization and add those people to the organization.
Publish it as a private npm module.
Publish it in a private npm registry.
Include the dependency in the source code of the program that needs it.
The last one is basically like including the node_modules in the original code that uses that module so of course it's not pretty. Hosting your own npm registry is not trivial but you can automate adding users that way. Publishing private npm module is not free. Maintaining an organization full of people who should be able to access your repo is annoying.
Keep in mind one thing: if you share your credentials with more than one person, expect everyone to eventually have access to it, it's just a matter of time. The credentials could have a limited scope, it can be a read only deploy key or a machine user with restricted access, but if it is distributed it will leak eventually as it always does, especially when you share it with dozens of people. It's much better to keep a list of people who can access the code, and you can automate keeping that list up to date using the GitHub API.
I would never recommend distributing credentials in the source code of the project, no matter how limited access those credentials provide.
It's ugly that there are no scope for Read-only access to private repo.
What I suggest is to create a new token even with read/write as a Temporary token. Then pull/fetch the changes and delete the Token directly.
Apparently, GitHub has heard you and added a new beta feature called "Fine-Grained Tokens"!
https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/
"Create a fine-grained, repository-scoped token suitable for personal API use and for using Git over HTTPS"
Go to setting/developer settings/Personal Access Tokens/Fine grained token
Related
I want to assign permission to a user just to pull gitlab's registry container and can't download raw project while even guests on gitlab can download project and pull container both, any solution?
You cannot assign/revoke granular permissions for users. User access it determined by their assigned (or inherited) role in the project and the project visibility settings.
If your project has internal or public visibility, any logged in user will be able to download the project files. To prevent users from seeing the project, you must make it private and revoke membership.
You can, however, create a project access token and assign it the read_registry scope only. Then, that token can only be used to download images from the container registry and does not provide any other access.
I'm using GitLab Enterprise Edition 14.6.5-ee
I want to create a Git tag automatically when I merge a branch back to master. I'm fine with the actual Git commands; the problem is with the authentication: the build bot doesn't know how to authenticate back to the server. There's an answer here how to set up SSH keys. But this requires me to use my personal credentials, which is just wrong, because it's not me creating the tag; it's the build bot.
Seriously, it just doesn't make sense to say that the bot doesn't know how to authenticate. I mean, it just pulled the freakin' code from the repo! So why is it such a big leap from being able to pull code to being able to push code?
Any ideas how to automate the creation of tags without using my personal credentials?
CI jobs do have a builtin credential token for accessing the repository: the $CI_JOB_TOKEN variable. However this token only has read permissions, so it won't be able to create tags. To write to the repository or API, you'll have to supply a token or SSH key to the job. However, this doesn't necessarily have to be your personal token.
There are a few ways you can authenticate to write to the project without using a personal credential:
You can use project access tokens
You can use group access tokens -- these are only exposed in the UI after GitLab 14.7
You can use deploy SSH keys (when you grant read-write to the key)
So why is it such a big leap from being able to pull code to being able to push code?
This is probably a good thing. While it may require you to do extra work in this case, the builtin job authorization tries to apply the principle of least privilege. Many customers have even argued that the existing CI_JOB_TOKEN permissions are too permissive because they allow access to read other projects!
In any case, it is on GitLab's roadmap to make these permissions more controllable and flexible :-)
Alternatively, use releases
If you don't mind creating a release in addition to a tag, you could also use the release: keyword in the CI yaml as an easy way to create the tag.
It's somewhat of an irony that the releases API allows you to use the builtin CI_JOB_TOKEN to create releases (and presumably tags) but you cannot (as far as I know) use CI_JOB_TOKEN on the tags API to create a tag.
However, in this case, it will still have the effect that the releases/tag appear to be created by you.
I am developing a utility where I need to validate the user by taking username and validate it with a specific gitlab private repository members. If the user exists in that repository members then only the executable will run. As this utility will be used by many users,I do not want to use my personal access token.
I am new to Gitlab, would be great help if you can show possible options here.
What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -
include 'https://gitlab-ci-token:${CI_JOB_TOKEN}#raw-file-url'
I have tried to curl in this format in a dummy script job, but it fails to fetch the file.
Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.
Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:
Authenticate with the GitLab Container (Docker) Registry
Authenticate to trigger a multi-project pipeline (EE only)
References:
https://docs.gitlab.com/ce/ci/variables/
https://docs.gitlab.com/ee/ci/variables/
So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.
Unfortunately, deploy keys don't help either -- they are only for SSH.
The only workable solution I've come up with is to use a separate user:
Create a new user with Reporter role.
Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
Use $BUILD_USER_TOKEN in your CI script to access the API or project files.
This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.
Still there is no support for the CI_JOB_TOKEN to have a useful API access. But they are working on it https://gitlab.com/groups/gitlab-org/-/epics/3559
I have a project which our research lab is working, but only a few members can have access to the codes. We are using Git and BitBucket, but we want to use the server lab as our main repository. I have the following constraints:
We don't have admin rights;
Only a few members can have access to the files;
Every lab member already has its own login in the server.
How can I make this work?
I was thinking to ask the admin to add a group in the server, which would have read/write rights in our Git repository folder. Does it work? Is there a better way to manage these Git repositories with these constraints?
In addition to what Borealid wrote in his answer, you could also use gitolite. It allows you to have much more fine-grained access control (e.g. you can prevent users from deleting your repositories or prevent (some of) them from pushing to certain branches). It doesn't require root access.
Having a POSIX group which is granted access to the repository directory is a fine way to do things.
Just be aware that you have to trust the other group members - they could delete the directory entirely, without using the git client.