feat: enable support for using job token authentication #859
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for authenticating to GitLab via CI Job Tokens with corresponding configuration, error handling, and documentation updates. Key changes include:
- New tests verifying correct behavior when using job tokens, including error handling for commenting.
- Updates to configuration and API calls across multiple modules to correctly use token headers based on the token type.
- Documentation updates in README and error messages to explain job token usage.
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| test/verify.test.js | Added tests to verify error throwing when comment conditions are not set for job tokens. |
| test/resolve-config.test.js | Introduced job token related options and configuration properties. |
| test/integration.test.js | Added integration test for GitLab authentication using job tokens. |
| test/helpers/mock-gitlab.js | Updated mock to conditionally use "Job-Token" header for job tokens. |
| lib/verify.js | Updated verification flow to handle job token authentication. |
| lib/success.js | Updated token header usage in success flow. |
| lib/resolve-config.js | Extended configuration resolution for job token support. |
| lib/publish.js | Updated token header usage when publishing releases. |
| lib/fail.js | Updated token header usage in failure handling. |
| lib/definitions/errors.js | Extended error definitions to support job token related issues. |
| README.md | Clarified documentation regarding different token types and usage. |
| const env = { GL_TOKEN: "gitlab_token", CI_JOB_TOKEN: "gitlab_token" }; | ||
| const owner = "test_user"; | ||
| const repo = "test_repo"; | ||
| const options = { repositoryUrl: `https://github.com/${owner}/${repo}.git` }; |
There was a problem hiding this comment.
The repositoryUrl is set to 'github.com' instead of 'gitlab.com', which may lead to incorrect project path resolution in GitLab authentication tests. Consider updating the URL to 'https://gitlab.com/${owner}/${repo}.git'.
| const options = { repositoryUrl: `https://github.com/${owner}/${repo}.git` }; | |
| const options = { repositoryUrl: `https://gitlab.com/${owner}/${repo}.git` }; |
Copilot uses AI. Check for mistakes.
| if (isJobToken && !(failCommentCondition === false) && !(successCommentCondition === false)) { | ||
| errors.push(getError("EJOBTOKENCOMMENTCONDITION", { projectPath })) | ||
| } |
There was a problem hiding this comment.
@arvest-bjoneson Will all the other endpoints listed at #846 (comment) work with the job token or do we need more checks like this?
| ) { | ||
| errors.push(getError("EGLNOPUSHPERMISSION", { projectPath })); | ||
| if (isJobToken) { | ||
| await got.get(urlJoin(projectApiUrl, "releases"), { headers: { [tokenHeader]: gitlabToken } }); |
There was a problem hiding this comment.
Is this enough to check whether the job token has enough permissions to push?
| #### Job Token | ||
| Ensure your project is configured to [allow git push requests for job tokens](https://docs.gitlab.com/ci/jobs/ci_job_token/#allow-git-push-requests-to-your-project-repository), and assign the value of `CI_JOB_TOKEN` to `GL_TOKEN`. | ||
|
|
||
| **Note**: Due to limitations on [job token](https://docs.gitlab.com/ci/jobs/ci_job_token/) access, comments on merge requests and issues must be explicitly disabled. See: [successCommentCondition](#successcommentcondition) and [failCommentCondition](#failcommentcondition). |
There was a problem hiding this comment.
I'd like to set the bar a bit higher as long as this is still feature flagged in GitLab. Could you expose a dedicated option to enable this behavior and also mention this more clearly here?
There was a problem hiding this comment.
Thanks for your contribution @arvest-bjoneson, I did a first pass and left some questions 🙇
This feature adds support for using CI Job Tokens for authentication to the gitlab API. This will work as-is, provided the user is able to enable: https://docs.gitlab.com/ci/jobs/ci_job_token/#allow-git-push-requests-to-your-project-repository
This is feature flagged, but set to be enabled on gitlab.com in the near future.
Job tokens are unable to comment on merge requests and issues, so there is an explicit check in the verify stage for this.
Since the base project endpoint is unavailable, it uses the releases endpoint to verify auth when using a job token.
This addresses outstanding issues in: #846