使用`$ CI_JOB_TOKEN`“包含"私有项目文件 [英] 'Including' private project file using `$CI_JOB_TOKEN`

问题描述

到目前为止，我可以使用Personal Access Token和 include 外部CI脚本进行身份验证，但是更干净的方法是使用$CI_JOB_TOKEN进行访问，因为它更安全且更安全.受限制的.我正在研究是否可以通过这种方式完成-

What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -

include 'https://gitlab-ci-token:${CI_JOB_TOKEN}@raw-file-url'

我曾尝试在虚拟脚本作业中以这种格式卷曲，但是无法获取文件.

I have tried to curl in this format in a dummy script job, but it fails to fetch the file.

显然，可以使用文件API和$ CI_JOB_TOKEN(

Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.

推荐答案

不幸的是，CI_JOB_TOKEN的范围非常有限.截至今天(GitLab 11.0)，您只能用它做两件事:

Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:

• 通过GitLab容器(Docker)注册表进行身份验证
• 进行身份验证以触发多项目管道(仅适用于EE)

参考:

• https://docs.gitlab.com/ce/ci/variables/
• https://docs.gitlab.com/ee/ci/variables/

• https://docs.gitlab.com/ce/ci/variables/
• https://docs.gitlab.com/ee/ci/variables/

因此，您不能使用CI_JOB_TOKEN从原始存储库(/raw/<ref>/<path>)或API从另一个存储库下载文件.

So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.

不幸的是，部署密钥也没有帮助-它们仅适用于SSH.

Unfortunately, deploy keys don't help either -- they are only for SSH.

我想出的唯一可行的解​​决方案是使用一个单独的用户:

The only workable solution I've come up with is to use a separate user:

• 创建具有Reporter角色的新用户.
• 为具有 api 和 read_repository 权限的用户创建个人访问令牌(/profile/personal_access_tokens).
• 在项目CI/CD设置中将此令牌作为秘密变量添加.称呼它为BUILD_USER_TOKEN.
• 在CI脚本中使用$BUILD_USER_TOKEN访问API或项目文件.

• Create a new user with Reporter role.
• Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
• Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
• Use $BUILD_USER_TOKEN in your CI script to access the API or project files.

这是一个巨大的黑客，我真的希望看到GitLab使CI_JOB_TOKEN成为具有指定资源权限的一流的只读(?)令牌.

This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.

这篇关于使用`$ CI_JOB_TOKEN`“包含"私有项目文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！