Allow push to the own repo using CI_JOB_TOKEN (!152096) · Merge requests · GitLab.org / GitLab

Dmytro Biryukov requested to merge dbiryukov_allow_push_to_repo_by_ci_job_token_mr-389060 into master May 06, 2024

What does this MR do and why?

The first iteration to introduce a policy, git access layer, and DB migration, API for `push_repository_for_job_token_allowed` settings will be introduced in the follow-up MR.

CI_JOB_TOKEN allows to clone private repo, but doesn't allow to push back to the same repo.

Users can push with a personal access token or project access token but we want to give them a shorter lived token like CI_JOB_TOKEN to be able to do this with.

This MR introduce the ability to push using CI_JOB_TOKEN to it's own project repository if ci_cd_settings push_repository_for_job_token_allowed is enabled (disabled by default).

In this MR we introduce an policy and ci_cd_settings, API for push_repository_for_job_token_allowed settings will be introduced in the follow-up MR.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

DB migrations

Up

main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10892
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: migrating 
main: -- transaction_open?(nil)
main:    -> 0.0000s
main: -- add_column(:project_ci_cd_settings, :push_repository_for_job_token_allowed, :boolean, {:default=>false, :null=>false, :if_not_exists=>true})
main:    -> 0.0303s
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: migrated (0.0448s) 

main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10892

Rollback

main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10460
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: reverting 
main: -- transaction_open?(nil)
main:    -> 0.0000s
main: -- remove_column(:project_ci_cd_settings, :push_repository_for_job_token_allowed, {:if_exists=>true})
main:    -> 0.0201s
main: == 20240506164707 AddPushRepositoryForJobTokenAllowedToProjectCiCdSettings: reverted (0.0326s) 

main: == [advisory_lock_connection] object_id: 124700, pg_backend_pid: 10460

How to set up and validate locally

In rails console enable push_repository_for_job_token_allowed on ci_cd_settings of selected project.
Add a .gitlab-ci.yml

push_own_repository:
  script:
    - if [ "$CI_PIPELINE_SOURCE" == "push" ] && [ "${CI_COMMIT_TITLE}" != "Update readme and stop" ]; then
        git clone http://gitlab-ci-token:${CI_JOB_TOKEN}@gdk.test:3000/test_repository/push_to_own_repo.git;
        cd push_to_own_repo;
        echo test >> README.md;
        git commit -am 'Update readme and stop';
        git push origin HEAD;
      else
        echo "Pipeline triggered by the initial push or the same script. Skipping recursive push. 1";
      fi

Test that it will be allowed to push to its own repository during job execution.

Edited May 14, 2024 by Dmytro Biryukov

Allow push to the own repo using CI_JOB_TOKEN