Offer a more reliable and secure API calling method
Currently, the only way to do API calls from the gitlab-ci file is using curl. Sadly, there is no API-ish command, so we have to rely on getting curl available for the job. Not a problem, plenty of docker images or other methods.
Now, using curl is, cumbersome at best, horrible in all other cases. As a user, except that anything in the scripts bit will be passed to the shell, or almost everything. As already mentioned however in the README, this is not exactly true, as the yaml parser goes over this first, causing extreme pain, the most strange reserved characters now suddenly need to be escaped.
For example, a normal shell based curl line would look like this:
curl --fail --silent --show-error \
--data '{"tag_name": "${CI_COMMIT_TAG}", "name": "${CI_PROJECT_NAME} ${CI_COMMIT_TAG}", "description": "${CI_COMMIT_TAG_MESSAGE}"}'
--header "Content-Type: application/json" \
--header "Private-Token: ${CI_PRIVATE_TOKEN}" \
--request POST \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases"
This fails however on so many levels, it has cost me almost 2 days to find something that works.
For one, we can't pass parameters to curl, as the special character '-' gets eaten by the YAML parser. Fine, we turn it into a multi-line yaml (- |) then (which is annoying in itself, but if we make it a one line multi-line, we can still see lines[0] in the output.
Good, secondly, there is the matter of simple colon, which even haven't figured quite out when it does and when it does not get gobbled up. Even though the yaml validator (several) will claim the yaml is valid, the gitlab-runner and the yaml parser will all eat quotes left and right, the command fails, but without any clue what was actually executed.
This brings us to our third problem, as the only way we have to pass the token along is using curl's --header 'Private-Token: ' method, if curl does indeed turn into an erroneous state, in some cases, it will very happily print the entire request that went bad, including the Private-Token and the actual content.
Fourthly, more characters that get gobled. Which again, is mentioned in the documentation, but when looking at the API documentation, all examples are cURL based, which is great, but on the CI documentation, there is not a single example. The most helpful example would have been with the newly introduces releases feature, where it even states, put curl in your gitlab-ci.yml file. What's even more frustrating, to figure out what gets gobbled up, is just a matter of trial lots and lots of error. For instance in the case of the release api; if no data is supplied at all, it tells you in the error message that all 3 required parameters are missing, passing any data however, silences this. So was it --data "" that was passed? was it --data "{}"? Invalid data? Nobody knows. --trace-ascii helps somewhat, to at least see 'something' gets passed.
For releases, this could be solved using something very similar to the 'artifact' feature. So MVP would be a 'release' tag, with the proper data fields filled, to create a release job. And while this would probably one of the more important use cases of curl in the .gitlab-ci.yml file, I'm not sure how easy it would be to solve this for other API call usage ...