Allow push to the own repo using CI_JOB_TOKEN
Related to issue: #389060 (closed)
What does this MR do and why?
push_repository_for_job_token_allowed
settings will be introduced in the follow-up MR.
The first iteration to introduce a policy, git access layer, and DB migration, API for CI_JOB_TOKEN allows to clone private repo, but doesn't allow to push back to the same repo.
Users can push with a personal access token or project access token but we want to give them a shorter lived token like CI_JOB_TOKEN to be able to do this with.
This MR introduce the ability to push using CI_JOB_TOKEN
to it's own project repository if ci_cd_settings
push_repository_for_job_token_allowed
is enabled (disabled by default).
In this MR we introduce an policy and ci_cd_settings
, API for push_repository_for_job_token_allowed
settings will be introduced in the follow-up MR.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
DB migrations
Up
main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10892
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: migrating
main: -- transaction_open?(nil)
main: -> 0.0000s
main: -- add_column(:project_ci_cd_settings, :push_repository_for_job_token_allowed, :boolean, {:default=>false, :null=>false, :if_not_exists=>true})
main: -> 0.0303s
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: migrated (0.0448s)
main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10892
Rollback
main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10460
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: reverting
main: -- transaction_open?(nil)
main: -> 0.0000s
main: -- remove_column(:project_ci_cd_settings, :push_repository_for_job_token_allowed, {:if_exists=>true})
main: -> 0.0201s
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: reverted (0.0326s)
main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10460
How to set up and validate locally
- In rails console enable
push_repository_for_job_token_allowed
onci_cd_settings
of selected project. - Add a
.gitlab-ci.yml
push_own_repository:
script:
- if [ "$CI_PIPELINE_SOURCE" == "push" ] && [ "${CI_COMMIT_TITLE}" != "Update readme and stop" ]; then
git clone http://gitlab-ci-token:${CI_JOB_TOKEN}@gdk.test:3000/test_repository/push_to_own_repo.git;
cd push_to_own_repo;
echo test >> README.md;
git commit -am 'Update readme and stop';
git push origin HEAD;
else
echo "Pipeline triggered by the initial push or the same script. Skipping recursive push. 1";
fi
- Test that it will be allowed to push to its own repository during job execution.