Login/Register
How to create a Git tag in Gitlab CI without using personal credentials?
Asked Answered
Solved gitlabgitlab-cigitlab-ci-runner
S

1

4

I'm using GitLab Enterprise Edition 14.6.5-ee

I want to create a Git tag automatically when I merge a branch back to master. I'm fine with the actual Git commands; the problem is with the authentication: the build bot doesn't know how to authenticate back to the server. There's an answer here how to set up SSH keys. But this requires me to use my personal credentials, which is just wrong, because it's not me creating the tag; it's the build bot.

Seriously, it just doesn't make sense to say that the bot doesn't know how to authenticate. I mean, it just pulled the freakin' code from the repo! So why is it such a big leap from being able to pull code to being able to push code?

Any ideas how to automate the creation of tags without using my personal credentials?

Slovenia answered 11/5, 2022 at 14:24 Comment(0)
K
5

CI jobs do have a builtin credential token for accessing the repository: the $CI_JOB_TOKEN variable. However this token only has read permissions, so it won't be able to create tags. To write to the repository or API, you'll have to supply a token or SSH key to the job. However, this doesn't necessarily have to be your personal token.

There are a few ways you can authenticate to write to the project without using a personal credential:

So why is it such a big leap from being able to pull code to being able to push code?

This is probably a good thing. While it may require you to do extra work in this case, the builtin job authorization tries to apply the principle of least privilege. Many customers have even argued that the existing CI_JOB_TOKEN permissions are too permissive because they allow access to read other projects!

In any case, it is on GitLab's roadmap to make these permissions more controllable and flexible :-)

Alternatively, use releases

If you don't mind creating a release in addition to a tag, you could also use the release: keyword in the CI yaml as an easy way to create the tag.

It's somewhat of an irony that the releases API allows you to use the builtin CI_JOB_TOKEN to create releases (and presumably tags) but you cannot (as far as I know) use CI_JOB_TOKEN on the tags API to create a tag.

However, in this case, it will still have the effect that the releases/tag appear to be created by you.

Karnak answered 11/5, 2022 at 22:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.