How to easily employ an external RPM package build system as CI/CD
Hi, I'm one of the Fedora Copr maintainers (an RPM build system).
I've spent some time on reading gitlab docs to find a secure way to allow gitlab.com users to do CI/CD through our build system (on foss projects).
Sync approach
We could use the Turing complete power of Runners, but build of an RPM package can take some time (hours) and I suppose we'll be facing timeout issues.
Async approach
I have found that we can easily start builds with webhooks, but every user would have to configure some webhook(s) (step 1), this is secure part. But not entirely convenient.
Then we need to allow the build system to somehow update the commit statuses, perhaps using some credentials -- and I only found that personal access tokens would be useable (step 2). The current problem seems to be that that to make this working, the access token needs to have the full API permissions. That doesn't seem to be secure (at our build system level, we don't want to be given to manipulate the repositories, we only want to create and modify commit statuses).
What to do?
Is there some common pattern to implement some CI/CD hook like that? Or
could we create -- along the api
, read_api
, etc. token permissions
another permission level like commit_status
?
Or should we rather think about Settings => Integrations
category?