使用`$ CI_JOB_TOKEN`“包含"私有项目文件 [英] 'Including' private project file using `$CI_JOB_TOKEN`
问题描述
到目前为止,我可以使用Personal Access Token
和 include 外部CI脚本进行身份验证,但是更干净的方法是使用$CI_JOB_TOKEN
进行访问,因为它更安全且更安全.受限制的.我正在研究是否可以通过这种方式完成-
What I got so far is, it is possible to Authenticate with Personal Access Token
and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN
since it is more secure and restricted. I am looking into if it can be done this way -
include 'https://gitlab-ci-token:${CI_JOB_TOKEN}@raw-file-url'
我曾尝试在虚拟脚本作业中以这种格式卷曲,但是无法获取文件.
I have tried to curl in this format in a dummy script job, but it fails to fetch the file.
Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include
feature also support this. Any suggestion on how to achieve that is appreciated.
推荐答案
不幸的是,CI_JOB_TOKEN
的范围非常有限.截至今天(GitLab 11.0),您只能用它做两件事:
Unfortunately, CI_JOB_TOKEN
is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:
- 通过GitLab容器(Docker)注册表进行身份验证
- 进行身份验证以触发多项目管道(仅适用于EE)
参考:
- https://docs.gitlab.com/ce/ci/variables/
- https://docs.gitlab.com/ee/ci/variables/
因此,您不能使用CI_JOB_TOKEN
从原始存储库(/raw/<ref>/<path>
)或API从另一个存储库下载文件.
So you cannot use CI_JOB_TOKEN
to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>
) nor the API.
不幸的是,部署密钥也没有帮助-它们仅适用于SSH.
Unfortunately, deploy keys don't help either -- they are only for SSH.
我想出的唯一可行的解决方案是使用一个单独的用户:
The only workable solution I've come up with is to use a separate user:
- 创建具有
Reporter
角色的新用户. - 为具有 api 和 read_repository 权限的用户创建个人访问令牌(
/profile/personal_access_tokens
). - 在项目CI/CD设置中将此令牌作为秘密变量添加.称呼它为
BUILD_USER_TOKEN
. - 在CI脚本中使用
$BUILD_USER_TOKEN
访问API或项目文件.
- Create a new user with
Reporter
role. - Create a personal access token (
/profile/personal_access_tokens
) for that user with api and read_repository rights. - Add this token as a secret variable in the project CI/CD settings. Call it e.g.
BUILD_USER_TOKEN
. - Use
$BUILD_USER_TOKEN
in your CI script to access the API or project files.
这是一个巨大的黑客,我真的希望看到GitLab使CI_JOB_TOKEN
成为具有指定资源权限的一流的只读(?)令牌.
This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN
a first-class, read-only (?) token with rights to specified resources.
这篇关于使用`$ CI_JOB_TOKEN`“包含"私有项目文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!