Changelog: changelog_manager stage needs ability to commit back to master
changelog_manager.rb
from #337 (closed) is now integrated into the CI pipeline with changelog_manager
stage. This stage is currently marked as allow_failure: true
due to the fact that we need to understand how to allow the pipeline to commit back to master (commit includes [ci skip]
).
There is an open ~"Feature Request" at Feature Request: Allow runners to push via their CI token , however there has been no official plan to address it. There are also a few examples provided from the community within the discussion thread.
Most of these seem to come down to:
- Create new GitLab account, with ssh key
- Configure runner to use this account's email for
git
, and accompanying ssh key for access. - Supplying the ssh key as a protected secret, so that the job can function with minimal security exposure.
An alternative to ssh would be to make use of a PAT from the other account and cloning/pushing over https
, though we'd have to be careful of git
's output.
I dislike the approach of using a separate account, as we'd lose tracing of where the commit was sourced from, as opposed to being able to use the CI's token in the name of the person running the pipeline (e.g. the person with merge rights to master that performed the merge that triggered the pipeline on master). Top that off with having to manage this separate account.
Another method seen in the discussion on the Feature Request thread was to use a PAT in order to create an MR and merge it via the API, but this has the downside of adding complexity and clutter via 'excess' MR activity.
I'd like to hear from the team on how we might approach solving this problem as it prevents us from fully automating CHANGELOG.md
.
Blocks #289 (closed)