Skip to content

Support for CI_JOB_TOKEN instead of GL_TOKEN or GITLAB_TOKEN env var being setup #724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
arkhoss opened this issue May 29, 2024 · 4 comments
Closed

Support for CI_JOB_TOKEN instead of GL_TOKEN or GITLAB_TOKEN env var being setup #724

arkhoss opened this issue May 29, 2024 · 4 comments
Labels
feature

Comments

@arkhoss
Copy link

arkhoss commented May 29, 2024

Hi everyone! thanks for the plugin, it does quite a nice job, that being said, I would like to ask for a feature or support of a CI predefined variable, called CI_JOB_TOKEN.

When a CI/CD pipeline job is about to run, GitLab generates a unique token and makes it available to the job as the CI_JOB_TOKEN predefined variable. The token is valid only while the job is running. After the job finishes, the token access is revoked and you cannot use the token anymore.

I've tried a pipeline using variables like:

job:
--- snip ---
variables:
  GITLAB_TOKEN: ${CI_JOB_TOKEN}

also tried,

script:
  - export GITLAB_TOKEN=${CI_JOB_TOKEN}
  - npx semantic-release

but in both cases, I get errors in the Job related to EINVALIDGLTOKEN from verify.js file at: https://github.com/semantic-release/gitlab/blob/master/lib/verify.js#L84

Now, It might be me doing something wrong or lack of understanding of the GITLAB_TOKEN and GL_TOKEN variables, but I believe this should achieved without need to static assign a value or token in the CI/CD variables of the project or group.

imho, a dynamic token like CI_JOB_TOKEN it might be a better approach. If this is already supported please then close this request. Thanks!
@Blackclaws
Copy link

Blackclaws commented May 30, 2024
edited
Loading

The reason this doesn't work is because the headers are wrong for the api calls:

gitlab/lib/publish.js

Line 33 in 71b337f

"PRIVATE-TOKEN": gitlabToken,

If you fork this plugin and change that to "JOB-TOKEN" it can use the job token. You'll also have to change the verify.js step though as it also uses the token there.

Semantic release will probably still fail as it checks whether it can push no matter how you release. Hence why I also forked semantic-release and changed that for our CI/CD system.

@JonasSchubert
Copy link
Contributor

See also #156

@fgreinacher
Copy link
Contributor

As @JonasSchubert mentions above this is the same request as #156 which was closed in favor of the more general semantic-release issue semantic-release/semantic-release#1729. I'm therefore also going to close this one. Feel free to subscribe for the semantic-release issue for updates 🙇

@fgreinacher fgreinacher closed this as not planned Won't fix, can't repro, duplicate, stale Jun 11, 2024
@wwuck
Copy link

wwuck commented Jul 23, 2024

https://gitlab.com/gitlab-org/gitlab/-/issues/468320 This might be possible soon in Gitlab 17.3 or 17.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wwuck @fgreinacher @Blackclaws @JonasSchubert @arkhoss