Support CI_JOB_TOKEN auth
#156
Comments
|
For me, the GitLab: 13.4.0-pre .gitlab-ci.yml stages:
- release
release:
needs: []
image: registry.gitlab.com/rxap/gitlab-ci/semantic-release
stage: release
script: semantic-release
variables:
GITLAB_TOKEN: $CI_JOB_TOKEN
interruptible: true
rules:
- if: '$CI_COMMIT_REF_NAME == "master"'
when: on_success |
|
@mmuenker I'm not able to reproduce a working release using your example with Can you think of anything different in your set up that would cause it to work? |
|
is it possible that it was meant to work in gitlab 13.4.* and not 13.3 ? |
|
I've tried this but I can't find any circumstances that made this work like @mmuenker says is possible. However, I also cannot find why it doesn't work - it seems like it fails before the gitlab plugin even does anything. |
|
I have looked into this. I don't see how this could work at the moment, at least for Could be that other rights are missing too. |
|
I can confirm this has no chance to work as @secustor said. The error message is The use the CI_JOB_TOKEN would ease a lot the usage of semantic-release, but it looks complicated as long as the job token can't push tags (which is legit for security reasons) |
|
It seems failing at It's kinda make sense to auth if the token has a write permission to the repository, however, the release creation API technically doesn't require the write permission to create a git-tag in its subsequent process. |
|
Alternatively, maybe Deploy Tokens should be able to be used instead. This is more appropriate than Personal Access Token or job token. However, there are no options to give write repository permission in the deploy token ATM, see https://gitlab.com/gitlab-org/gitlab/-/issues/23067. |
|
Yes, the deploy and ci tokens are pretty limited (and for good reasons by default) The issue you reference have moved to this epic now: https://gitlab.com/groups/gitlab-org/-/epics/3559 Would you like to create a feature request on |
|
This thread helped me better understand why the tl;dr: |
|
By pure coincidence, I had a top level group variable that was a valid PAT. That's why it was working for me. Just confirmed that |
|
Is someone actively working on it? |
|
Ah cool. Then, we can close this issue :)
…Sent from my iPhone
On Jan 25, 2022, at 7:41 PM, Aljoscha Pörtner ***@***.***> wrote:
Is someone actively working on it?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.
|
|
I'd imagine gitlab-org/gitlab issue 223679 should resolve this but the timeline seems bit fluid (and far out there). |
|
We've made it work with CI_JOB_TOKEN by making just a few small changes to semantic-release and semant-release/gitlab. As described in another thread here |
|
Honestly, this is needed not just for convenience but also security. Semantic-release needs to have full write access to your code when there isn't any need or requirement for that. To use this tool you have to open a pretty large security hole that doesn't need to be opened. |
|
I'd like to bring back an attention to that topic to use Current limitation is identified, that semantic-release core is doing a check whether it can push a tag. On GitLab integration, creating a tag is not needed. Creation of a Release (via api, what this project is doing) is sufficient enough to make a release, because it results with a tag, as mentioned above (#156 (comment)). What is more, For that purpose I think there should be possible to skip pushing a tags by semantic-release core and then this check could be optional. The rationale behind that is:
Having that said, CI_JOB_TOKEN is the most secure way of triggering a Release process on GitLab. |
|
we hear the request. see semantic-release/semantic-release#1729 (comment) for our current response |
|
since this depends on changes in core to enable this, having two threads related to this is making this conversation more difficult to track. closing this in favor of semantic-release/semantic-release#1729. let's please consolidate further conversation there |
|
https://gitlab.com/gitlab-org/gitlab/-/issues/468320 This might be possible soon in Gitlab 17.3 or 17.4 |
Thanks for sharing @wwuck, I have not yet seen that! With that functionality in place we would not need any /cc @travi @JonasSchubert |
|
I enabled the feature flag for the feature @wwuck mentioned, and it does pass: From my inital research, it's because an api request is being made here: https://github.com/semantic-release/gitlab/blob/master/lib/verify.js#L67 Either the Job Token isn't allowed to make a request to the |
Not sure, but I think header
EDIT EDIT: it does (EXAMPLE: https://docs.gitlab.com/ee/api/jobs.html#get-job-tokens-job)! But |
|
Judging from the age and last update on this issue, the job token probably won't ever be able to access the projects endpoint, atleast not in the near future. @fgreinacher Should we just skip the permissions check in https://github.com/semantic-release/gitlab/blob/master/lib/verify.js if GITLAB_TOKEN is equal to the CI_JOB_TOKEN? |
|
Hm, how would we know that the token is a job token? |
We'd require the variables:
GITLAB_TOKEN: $CI_JOB_TOKENand inside of the |
Is there anything against additionally defaulting the |
|
I don't think we should default the GitLab token to |
|
One issue both for and against using the JOB TOKEN is that it is associated with the user that triggered the pipeline. I am in the desirable camp: While it may cause unexpected variation, using CI_JOB_TOKEN prevents privilege escalation via semantic-release. |
GitLab CI injects
CI_JOB_TOKENto allow a pipeline job to access a project resource through public v4 API. Not all of APIs support job token auth, however, release creation API is already supported. So in theory, executingGITLAB_TOKEN=$CI_JOB_TOKENshould be suffice to run semantic-release.However, as I tested https://gitlab.com/dosuken123/semantic-release-test/-/jobs/628942282, it didn't succeed as semantic-release tried remote Git repository authentication. I'm not sure why it's necessary as the tag creation is done via the above API call.
If
CI_JOB_TOKENauth is possible, it's very convenient to run semantic-release in GitLab CI as users don't need to create PAT.The text was updated successfully, but these errors were encountered: