feat: enable support for using job token authentication #859
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for authenticating to GitLab via CI Job Tokens with corresponding configuration, error handling, and documentation updates. Key changes include:
- New tests verifying correct behavior when using job tokens, including error handling for commenting.
- Updates to configuration and API calls across multiple modules to correctly use token headers based on the token type.
- Documentation updates in README and error messages to explain job token usage.
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| test/verify.test.js | Added tests to verify error throwing when comment conditions are not set for job tokens. |
| test/resolve-config.test.js | Introduced job token related options and configuration properties. |
| test/integration.test.js | Added integration test for GitLab authentication using job tokens. |
| test/helpers/mock-gitlab.js | Updated mock to conditionally use "Job-Token" header for job tokens. |
| lib/verify.js | Updated verification flow to handle job token authentication. |
| lib/success.js | Updated token header usage in success flow. |
| lib/resolve-config.js | Extended configuration resolution for job token support. |
| lib/publish.js | Updated token header usage when publishing releases. |
| lib/fail.js | Updated token header usage in failure handling. |
| lib/definitions/errors.js | Extended error definitions to support job token related issues. |
| README.md | Clarified documentation regarding different token types and usage. |
| const env = { GL_TOKEN: "gitlab_token", CI_JOB_TOKEN: "gitlab_token" }; | ||
| const owner = "test_user"; | ||
| const repo = "test_repo"; | ||
| const options = { repositoryUrl: `https://github.com/${owner}/${repo}.git` }; |
There was a problem hiding this comment.
The repositoryUrl is set to 'github.com' instead of 'gitlab.com', which may lead to incorrect project path resolution in GitLab authentication tests. Consider updating the URL to 'https://gitlab.com/${owner}/${repo}.git'.
| const options = { repositoryUrl: `https://github.com/${owner}/${repo}.git` }; | |
| const options = { repositoryUrl: `https://gitlab.com/${owner}/${repo}.git` }; |
Copilot uses AI. Check for mistakes.
| if (isJobToken && !(failCommentCondition === false) && !(successCommentCondition === false)) { | ||
| errors.push(getError("EJOBTOKENCOMMENTCONDITION", { projectPath })) | ||
| } |
There was a problem hiding this comment.
@arvest-bjoneson Will all the other endpoints listed at #846 (comment) work with the job token or do we need more checks like this?
| ) { | ||
| errors.push(getError("EGLNOPUSHPERMISSION", { projectPath })); | ||
| if (isJobToken) { | ||
| await got.get(urlJoin(projectApiUrl, "releases"), { headers: { [tokenHeader]: gitlabToken } }); |
There was a problem hiding this comment.
Is this enough to check whether the job token has enough permissions to push?
| #### Job Token | ||
| Ensure your project is configured to [allow git push requests for job tokens](https://docs.gitlab.com/ci/jobs/ci_job_token/#allow-git-push-requests-to-your-project-repository), and assign the value of `CI_JOB_TOKEN` to `GL_TOKEN`. | ||
|
|
||
| **Note**: Due to limitations on [job token](https://docs.gitlab.com/ci/jobs/ci_job_token/) access, comments on merge requests and issues must be explicitly disabled. See: [successCommentCondition](#successcommentcondition) and [failCommentCondition](#failcommentcondition). |
There was a problem hiding this comment.
I'd like to set the bar a bit higher as long as this is still feature flagged in GitLab. Could you expose a dedicated option to enable this behavior and also mention this more clearly here?
There was a problem hiding this comment.
Thanks for your contribution @arvest-bjoneson, I did a first pass and left some questions 🙇
|
Gitlab Engineer here, Let me know if you need any help on moving this forward. |
|
@tachyons : You can look at the discussions of these two pull requests: One of the problems we're having is accessing multiple GitLab APIs with a JOB_CI_TOKEN. For these APIs, GitLab doesn't allow to access them with a CI_JOB_TOKEN. We either need to find equivalent APIs that are accessible, or we need GitLab to support access to these APIs with a CI_JOB_TOKEN. I tried to implement this for one of the APIs, but it got stuck on GitLab's end. You can look at these merge requests and the discussions that took place in the merge request 189929: |
|
@tachyons : Your help would be greatly appreciated. Please let us know if you plan to help us move this forward. |
This feature adds support for using CI Job Tokens for authentication to the gitlab API. This will work as-is, provided the user is able to enable: https://docs.gitlab.com/ci/jobs/ci_job_token/#allow-git-push-requests-to-your-project-repository
This is feature flagged, but set to be enabled on gitlab.com in the near future.
Job tokens are unable to comment on merge requests and issues, so there is an explicit check in the verify stage for this.
Since the base project endpoint is unavailable, it uses the releases endpoint to verify auth when using a job token.
This addresses outstanding issues in: #846