Skip to content

Glab cluster bootstrap fails when signed commits from the GitLab UI are enabled

Checklist

  • I'm using the latest version of the extension (Run glab --version)
    • Extension version: glab 1.67.0 (1e957280)
  • Operating system and version: Linux Ubuntu 22.04
  • Gitlab.com or self-managed instance? self-managed instance
  • GitLab version (if self-managed) 18.2.4-ee
  • I have performed glab auth status to check for authentication issues
  • Run the command in debug mode (like DEBUG=true glab mr list) and attach any useful output

Summary

When GitLab “Signed commits for the UI (web commits)” are enabled on a self-managed instance, the command

glab cluster agent bootstrap fails.

The cause is that the bootstrap logic uses hardcoded author information (glab <noreply@glab.gitlab.com>) in the API wrapper (apiWrapper.ConfigureAgent). GitLab then rejects these commits, because web/API commits must have an author that matches the authenticated user when signing is enforced.

Environment

  • OS: Linux Ubuntu 22.04 x86_64
  • SHELL: bash
  • TERM: xterm-256color
  • GLAB: glab 1.67.0 (1e957280)

Steps to reproduce

  • Enable Signed commits for the UI in GitLab (Using the feature flag).

  • Run:

    glab auth login # authenticate with a valid PAT

    glab cluster agent bootstrap --agent-name some-agent --project common-projects/cluster-config

  • Observe the error when the bootstrap tries to commit .gitlab/agents/<agent>/config.yaml via the Repository Files API.

What is the current bug behavior?

glab cluster agent bootstrap fails with:

ERROR: PUT https://<gitlab-instance>/api/v4/projects/.../repository/files/...: 400 {message: 13:update reference: running pre-receive hooks: GitLab: For signed Web commits, the commit must be equal to the author.}

The commit is authored as glab <noreply@glab.gitlab.com>, which does not match the authenticated API user, so GitLab rejects it.

What is the expected correct behavior?

Bootstrap should succeed. Commits created via the Repository Files API should either:

  • Use the authenticated user as commit author by default, or
  • Allow overriding AuthorName / AuthorEmail (via env vars or flags).

Relevant logs and/or screenshots

Possible fixes

https://github.com/gl-cli/glab/blob/318bc52a935a57e140e85977fb1b557a70ea4853/internal/commands/cluster/agent/bootstrap/api_wrapper.go#L16-L21

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information