使用“$CI_JOB_TOKEN"“包含"私有项目文件 [英] 'Including' private project file using `$CI_JOB_TOKEN`

问题描述

到目前为止我得到的是，可以使用 Personal Access Token 和 include 外部 CI 脚本进行身份验证，但更简洁的方法是使用 $CI_JOB_TOKEN 因为它更安全且受限制.我正在研究是否可以这样做-

What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -

包括 'https://gitlab-ci-token:${CI_JOB_TOKEN}@raw-file-url'

我试图在一个虚拟脚本作业中以这种格式卷曲，但它无法获取文件.

I have tried to curl in this format in a dummy script job, but it fails to fetch the file.

显然，可以使用文件 API 和 $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs)，但我正在研究 include 功能是否也支持此功能.任何关于如何实现这一目标的建议都值得赞赏.

Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.

推荐答案

很遗憾，CI_JOB_TOKEN 的范围非常有限.截至今天(GitLab 11.0)，你只能用它做两件事:

Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:

• 使用 GitLab 容器 (Docker) 注册表进行身份验证
• 进行身份验证以触发多项目管道(仅限 EE)

参考资料:

• https://docs.gitlab.com/ce/ci/variables/
• https://docs.gitlab.com/ee/ci/variables/

所以您不能使用 CI_JOB_TOKEN 从另一个存储库下载文件，既不通过原始端点 (/raw/<ref>/<path>) 也不是 API.

So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.

不幸的是，部署密钥也无济于事——它们仅适用于 SSH.

Unfortunately, deploy keys don't help either -- they are only for SSH.

我想出的唯一可行的解​​决方案是使用单独的用户:

The only workable solution I've come up with is to use a separate user:

• 创建一个具有 Reporter 角色的新用户.
• 为具有 api 和 read_repository 权限的用户创建个人访问令牌 (/profile/personal_access_tokens).
• 将此令牌添加为项目 CI/CD 设置中的秘密变量.称之为例如BUILD_USER_TOKEN.
• 在 CI 脚本中使用 $BUILD_USER_TOKEN 来访问 API 或项目文件.

• Create a new user with Reporter role.
• Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
• Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
• Use $BUILD_USER_TOKEN in your CI script to access the API or project files.

这是一个巨大的 hack，我真的希望看到 GitLab 使 CI_JOB_TOKEN 成为具有指定资源权限的一流只读 (?) 令牌.

This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.

这篇关于使用“$CI_JOB_TOKEN"“包含"私有项目文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！