Improve gradle QA scenario
🦀 What does this MR do?
- This MR adds a
pull package
part to the existing gradle QA scenario
While at it, I added some additional changes regarding
test improvements:
- When pulling, we only tested personal access tokens for the authentication. I updated that part and created 3 different examples that will pull the package using: a personal access token, a project deploy token and the ci job token. I used a table based spec for that.
potential problems:
- I noticed that the scenario logs in twice. Once for creating the runner, once for creating a personal access token. I login in a
before
block to avoid this duplicate action - The personal access token is created twice. Once to create the project (via creating the runner) and once for the scenario. I removed the one from the scenario and simply re-used the one set up when creating the runner.
- The package was removed through UI actions whereas there is a
#remove_via_api!
function implemented in the package resource. That function had a ~bug that I fixed. This way, there is no need to delete the package using the UI💪 - The deploy token resource did not support the
read_package_registry
scope. I added that. - The project's visibility hosting the package should be
private
. Apublic
visibility can result in false positives because the permission logic can sometimes allow an access with wrong credentials because the accessed resource ispublic
.
🔮 Possible follow ups
I'm not happy with the current state of the scenario. When running the whole file, we have 3 examples to go through:
- create a project and a package
- pull pacakge
(1.) could be done only once for all 3 examples and the package could be re-used across examples = faster execution time
I left this problem for a potential follow up.
🖼 Screenshots (strongly suggested)
n / a
📏 Does this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) - [-] I have added/updated documentation, or it's not needed. (Is documentation required?)
-
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) - [-] I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
-
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. - [-] I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by David Fernandez