I am asking the question here, because documentation didn't help me.
During runner's setup, 2 things are being asked: url of gitlab CI coordinator and registration token. I don't get what any of them should be.
As for url, it could be either url of gitlab CI web interface (ex: http://localhost:80/) ot url related to build, which is described in build's advanced properties.
Registration token could be something from documentation - but the link to it is dead (see: http://gitlab-ci-domain.com/admin/runners) or registration token from build's advanced properties.
However, when i try to supply to runner's setup url and registration token from build properties, i get access error which informs me that registration failed. Due to lack of understanding what those parameters should be, i cannot determine what is wrong.
the Url is your Gitci Url.
the token you mention its in your gitlabci under "runners" next to the line:
"To register new runner you should the following registration token. With this token the runner will request a unique runner token and use that for future communication"
If you can access the settings for a project, then you can find the information in Project Settings > Runners. There should be a box under Specific Runners that has the URL and token.
EDIT: As of GitLab 9.0, this info can be found under Settings > CI//CD Pipelines (per Josh Noe)
EDIT: New location as of GitLab 9.3 (maybe earlier): Settings > Pipelines
EDIT: New location as of GitLab 10: Settings > CI / CD > Runners Settings
As of GitLab Enterprise Edition 12.0.0-pre 8104b83f087
The token can be found by:
Go to your gitlab project
Click on Settings
Click on CI/CD
Click on "Expand" on the Runners section
The token is under "Set up a specific Runner manually"
Apparently the only way to do that is to be admin of Gitlab your CI server deals with yourself.
I find that unreasonable, but what could be done?..
Related
I'm using Github Actions to build some Docker images that I want to push to Azure Container Registry. I am attempting to use OIDC as an auth mechanism, based on this GH Action. I know the action supports other auth strategies, which I have discarded for my use case for reasons.
According to GH docs the "subject" field needs to be populated based on the GH account, repo name and branch name. However, want to build Docker images for multiple branches, which seems to require one federation config per branch - not practical, IMO.
So my question is: does anyone know if it's possible (and how) to set up a single federation config with a "subject" value that would work as a wildcard of sorts, covering all branches from a give repo?
thanks!
On AWS it is possible to use wildcards, like:
"repo:MY_ORG/MY_REPO:*"
but that doesn't seem to work on Azure, you can enter a wildcard in Azure Federated Credentials, but the GitHub workflow fails. To actually need a branch is crazy, as we'd need to setup new credential config for each new git branch.
I worked around the issue by using GitHub environments. I set an environment (called main but it can be called anything) and then set my workflow like this:
jobs:
test:
runs-on: ubuntu-latest
environment: main
and then in Azure set the federated creds to use:
Entity of Environment rather than Entity of Branch
This will then work for any branch - but clearly if you use GitHub environments for other reasons this may not be viable.
Note that, since Oct. 2022:
GitHub Actions:OpenID Connect support enhanced to enable secure cloud deployments at scale (Oct. 2022)
OpenID Connect (OIDC) support in GitHub Actions enables secure cloud deployments using short-lived tokens that are automatically rotated for each deployment.
You can now use the enhanced OIDC support to configure the subject claim format within the OIDC tokens, by defining a customization template at either org or repo levels.
Once the configuration is completed, the new OIDC tokens generated during each deployment will follow the custom format.
This enables organization & repository admins to standardize OIDC configuration across their cloud deployment workflows that suits their compliance & security needs.
Learn more about Security hardening your GitHub Workflows using OpenID Connect.
That means, from the documentation:
Customizing the subject claims for an organization or repository
To help improve security, compliance, and standardization, you can customize the standard claims to suit your required access conditions.
If your cloud provider supports conditions on subject claims, you can create a condition that checks whether the sub value matches the path of the reusable workflow, such as "job_workflow_ref: "octo-org/octo-automation/.github/workflows/oidc.yml#refs/heads/main"".
The exact format will vary depending on your cloud provider's OIDC configuration. To configure the matching condition on GitHub, you can can use the REST API to require that the sub claim must always include a specific custom claim, such as job_workflow_ref.
You can use the OIDC REST API to apply a customization template for the OIDC subject claim; for example, you can require that the sub claim within the OIDC token must always include a specific custom claim, such as job_workflow_ref.
I a gitlab repository that I would like to set up a gitlab runner for. In the documentation it states that I need to register the runner using the "registration token" from the gitlab website in the repository settings.
However, after issuing the "gitlab-runner start" command, I still need to create a config.toml file with the url and a "runner token" in order to be able to run the gitlab-runner run command, which I need to run a number of commands upon a push on a specified branch.
I am not sure where to find this "runner token". In the documentation it only states that the runner token is different from the registration token, but not where to obtain it.
I would highly appreciate any kind of help or suggestions.
The config.toml was not being created in the proper folder, see here
I created Personal Access Token in gitlab.com to read the gitlab api because I want to create some documentation about my repos in asciidoc automatically. Basically this works in a local script.
Now I want to turn this into a Giutlab CI pipeline. As of now the token is part of my local script. But I don't want this token to be readable in a public repo. Is there a way to get the token from the pipeline in a secure way without putting it into the .gitlab-ci.yml in plain text or any other reusable form?
Yes, in your gitlab project Settings > CI / CD > Variables
There you can add Key value pairs which can be "masked" so aren't visible in scripts.
But you should be aware this isn't fully "secure" take a look at this
My current workflow sucks! It's due to inexperience with static site generators. I have a site built with Gatsby. The content is sourced from the Prismic headless CMS. I deploy to Azure Static Web Apps via command line Git. When I push or manually run a Github Action, the site grabs all the content from Prismic, builds and deploys. You have to first publish in Prismic, then open up Github and run the actions.
Prismic has a webhook option. You give it an API endpoint and auth credentials and whatever is at the other end gets executed when content is published. I also have an API endpoint set up in Azure but it does nothing right now but return a string when you access it.
How do I bridge the two so the site builds and redeploys whenever content is published at Prismic?
This is totally feasible (I didn't try it myself) but needs some configurations.
To do this you need to use Github Actions
using Github Actions require users to add a personal access token with the repo scope key. To learn more refer to Github's docs.
You need to add the header key & value in your Prismic Webhooks settings such as
Note: Currently, the custom headers feature is in the testing phase and it will be released soon check this page to follow the progress of the feature.
Also, you can check this article article to get some inspiration, and it will be cool if you can share your work with the community.
My website here asking username and password. No error in console. Website built in jekyll. This starts now a days. Before I was able to deploy the same script. Is this related with any gitlab pages permission issue?
To fix this (from your gitlab repo) try going to Settings > General and scroll down to Visibility, project features, permissions. Now update "Pages access control" to "Everyone."