Allow JOB-TOKEN to perform all release REST API operations
What does this MR do and why?
According to the documentation (https://docs.gitlab.com/ee/api/releases/#authentication) release API operations are possible using either a private or a job token
This MR adds job token to all API endpoints
Solves #320950 (closed)
Solves #340018 (closed)
Solves #198779 (closed)
Refs #332146 (closed)
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
Thank you for your contribution to GitLab. We believe that everyone can contribute and contributions like yours are what make GitLab great!
- Our Merge Request Coaches will ensure your contribution is reviewed in a timely manner*.
- If you haven't, please set up a
DANGER_GITLAB_API_TOKEN
. - You can comment
@gitlab-bot label ~"group::"
to add a group label. - After a few days, feel free to ask
@gitlab-bot help
or ping a Merge Request Coach. - Read more on how to get help.
This message was generated automatically. You're welcome to improve it.
added Community contribution label
added 1 commit
- 268d99e5 - Allow job token to perform all release REST API operation
marked the checklist item I have evaluated the MR acceptance checklist for this MR. as completed
mentioned in issue gitlab-org/quality/triage-reports#5002 (closed)
mentioned in issue gitlab-org/quality/triage-reports#5014 (closed)
added typefeature label
Thanks so much for this MR @guillaume.chauvel!
@sean_carroll could you or someone on your team please review this Community contribution? Thanks!
requested review from @sean_carroll
assigned to @guillaume.chauvel
added sectionops label
- Resolved by Vladimir Shushlin
@nicolewilliams as this is a ~"group::release" community MR, I'll pass it over to you.
requested review from @nicolewilliams and removed review request for @sean_carroll
requested review from @vshushlin and removed review request for @nicolewilliams
- Resolved by Shinya Maeda
Thank you for your contribution, @guillaume.chauvel!
I think we also need to modify tests in https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/spec/requests/api/releases_spec.rb#L5-L5 and https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/ee/spec/requests/api/releases_spec.rb#L5-L5 to validate that job token is actually works.
I found an example in generic package registry, which can be helpful: https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/spec/requests/api/generic_packages_spec.rb#L61-L61
Let me know, if you need any help
@dcouture do see any security risk in allowing any CI job to create/modify/delete releases?
added 1 commit
- 348bb1d2 - Allow job token to perform all release REST API operations
added 1 commit
- 2c2e70b9 - Allow job token to perform all release REST API operations
added 1 commit
- 20c05a79 - Allow job token to perform all release REST API operations
added 1 commit
- 241acf94 - Allow job token to perform all release REST API operations
Thanks for the awesome contribution, @guillaume.chauvel! LGTM
@shinya.maeda can you do the maintainer review?
requested review from @shinya.maeda and removed review request for @vshushlin
- Resolved by Shinya Maeda
@vshushlin
, thanks for approving this merge request.This is the first time the merge request is approved. To ensure full test coverage, please start a new pipeline before merging.
For more info, please refer to the following links:
added 1 commit
- f06f6eb4 - Allow job token to perform all release REST API operations
added 665 commits
-
f06f6eb4...6958dbbc - 664 commits from branch
gitlab-org:master
- b03a3cd9 - Allow job token to perform all release REST API operations
-
f06f6eb4...6958dbbc - 664 commits from branch
Should we update the documentation that we are now supporting all endpoints?
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 308f38b22b7..b6a3011a3d6 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -20,7 +20,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints - [Get job artifacts](../../api/job_artifacts.md#get-job-artifacts). - [Get job token's job](../../api/jobs.md#get-job-tokens-job). - [Pipeline triggers](../../api/pipeline_triggers.md), using the `token=` parameter. -- [Release creation](../../api/releases/index.md#create-a-release). +- [Releases](../../api/releases/index.md). - [Terraform plan](../../user/infrastructure/index.md). The token has the same permissions to access the API as the user that executes the
1 Warning This MR changes code in ee/
, but its Changelog commit is missing theEE: true
trailer. Consider adding it to your Changelog commits.1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
doc/api/releases/index.md
doc/ci/jobs/ci_job_token.md
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Steve Abrams ( @sabrams
) (UTC-6)Kerri Miller ( @kerrizor
) (UTC-7)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger- Resolved by Suzanne Selhorn
@guillaume.chauvel Thank you for awesome contribution! This MR already looks nice
Would you mind fixing the documentation for the consistency? We can merge this MR after the change@vshushlin Thank you for nice review!
removed review request for @shinya.maeda
added 1 commit
- 0e409279 - Allow job token to perform all release REST API operations
Hi
@marcel.amirault @sselhorn
, please review this documentation Merge Request.Edited by Marcel Amiraultadded documentation twtriaged labels
added Technical Writing docsfeature labels
changed milestone to %14.5
added 1 commit
- 4a00c7d7 - Allow job token to perform all release REST API operations
added 1 commit
- 3cea963f - Allow job token to perform all release REST API operations
requested review from @shinya.maeda
enabled an automatic merge when the pipeline for 3c89ce77 succeeds
LGTM
Thank you for awesome contribution, @guillaume.chauvel!mentioned in commit 5bd05f3c
added workflowstaging-canary label
added workflowstaging label and removed workflowstaging-canary label
added workflowcanary label and removed workflowstaging label
mentioned in issue #320950 (closed)
mentioned in issue #198779 (closed)
mentioned in issue #332146 (closed)
added workflowproduction label and removed workflowcanary label
mentioned in issue #340018 (closed)
mentioned in issue gitlab-com/www-gitlab-com#12664 (closed)
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
mentioned in merge request kubitus-project/kubitus-installer!388 (merged)
mentioned in merge request !89958 (merged)