如何传递凭据以在 Gitlab CI 脚本中提取子模块? [英] How do I pass credentials to pull a submodule in a Gitlab CI script?
问题描述
我有几个项目,每个项目都在自己的存储库中,它们导入一个公共库,该库也有自己的存储库.因此,.gitmodules
文件包含具有全名的库:
I have several projects, each in their own repository, that import a common library which has its own repository as well.
So, the .gitmodules
file includes the library with the full name:
Submodule 'xx/yy' (https://gitlab.com/xx/yy.git) registered for path 'xx/yy'
但这不起作用:
Fatal: could not read Username for 'https://gitlab.com': No such device or address
CI 脚本非常简单:
image: mcr.microsoft.com/dotnet/core/sdk:3.0.100-preview9-alpine3.9
variables:
GIT_SUBMODULE_STRATEGY: recursive
stages:
- build
before_script:
- "cd xx"
- "dotnet restore"
build:
stage: build
script:
- "cd xx"
- "dotnet build"
旧的答案是:GitLab 拉取 CI 内的子模块
但是事情已经发生了变化,根据文档,我们可以拥有没有相对路径的子模块,如下所示:https://docs.gitlab.com/ce/ci/git_submodules.html
but things have changed and we can, according to the docs, have submodules that don't have a relative path, as written here: https://docs.gitlab.com/ce/ci/git_submodules.html
推荐答案
tldr;像这样:
# .gitlab-ci.yml
stages:
- build
job1:
stage: build
before_script:
- git config --global credential.helper store
- git config --global credential.useHttpPath true
- |
git credential approve <<EOF
protocol=https
host=gitlab.com
path=my-group/my-submodule-repo.git
username=${CI_DEPENDENCY_PROXY_USER}
password=${CI_DEPENDENCY_PROXY_PASSWORD}
EOF
- git submodule update --init --recursive
script:
- echo "Let's start the build..."
说明
stages: - build
和 job1:stage: build
声明是样板文件——它们通知 gitlab ci 机器存在一个阶段(名为 build
) 和一份属于"的工作;到这个阶段.
Explanation
The stages: - build
and job1: stage: build
declarations are boilerplate --- they inform the gitlab ci machinery that there exists one stage (named build
) and one job that "belongs" to this stage.
before_script
部分详细说明了需要在工作早期发生的事情 --- 其下的所有内容都必须在 script
开始之前完成.
The before_script
part details things that need to happen early in the job --- everything thereunder must complete before script
is started.
git config --global credentials.helper
告诉 git
使用名为store"的凭证助手.默认情况下,这是一个位于 ~/.git-credentials
的明文文件,其中包含以换行符分隔的用户名-密码装饰的 URI,每个 URI 对应于用户添加的给定 git 远程.
The git config --global credentials.helper
tells git
to use the credentials helper named "store". By default, this is a cleartext file located at ~/.git-credentials
containing newline-delimited username-password-decorated URIs, each corresponding to a given git remote added by the user.
git config --global credentials.useHttpPath
告诉 git
在任何调用(显式或其他方式)时不要忽略 path
属性git 凭证
.这不是绝对必要的,而是一种很好的做法,例如,当您在同一个 host
上有多个 git 遥控器时.
The git config --global credentials.useHttpPath
tells git
not to ignore the path
attribute for any call (explicit or otherwise) to git credential
. This is not strictly necessary, but rather good practice when, for example, you have multiple git remotes on the same host
.
git credential approve
读取标准输入(表示为heredoc)并将给定的凭证传递给credential.helper
,即store
, 被写入 ~/.git-credentials
.
The git credential approve
reads standard input (expressed as a heredoc) and passes the given credential to the credential.helper
, namely store
, to be written into ~/.git-credentials
.
git submodule update --init --recursive
使用 .gitmodules
引用的内容填充现有(但尚未完成)超级项目工作树.
The git submodule update --init --recursive
populates the existing (but as yet incomplete) superproject worktree with the content referenced by .gitmodules
.
上述示例做了以下假设:
This aforementioned example makes the following assumptions:
- 超级项目
.gitmodules
包含对远程子模块https://gitlab.com/my-group/my-submodule-repo.git
的引用..李> - git 子模块远程是私有的;即,访问它需要用户名和密码形式的凭据(gitlab 用语中的个人访问令牌")
- 您希望使用此处描述的 Gitlab CI 依赖代理凭据向此远程进行身份验证:https://about.gitlab.com/blog/2020/12/15/dependency-proxy-updates/ .
- 您不想要重写
.gitmodules
以使用此处建议的相对 URL:https://docs.gitlab.com/ee/ci/git_submodules.html#configure-the-gitmodules-file .
- The superproject
.gitmodules
contains a reference to the submodule remotehttps://gitlab.com/my-group/my-submodule-repo.git
. - The git submodule remote is private; i.e., access thereto requires credentials in the form of a username and password ("personal access token" in gitlab parlance)
- You want to authenticate to this remote using the Gitlab CI Dependency Proxy credentials described here: https://about.gitlab.com/blog/2020/12/15/dependency-proxy-updates/ .
- You don't want to re-write the
.gitmodules
to use relative URLs as suggested here: https://docs.gitlab.com/ee/ci/git_submodules.html#configure-the-gitmodules-file .
- https://docs.gitlab.com/ee/ci/yaml/#before_script
- https:///docs.gitlab.com/ee/ci/git_submodules.html#using-git-submodules-in-your-ci-jobs
- https://docs.gitlab.com/ee/ci/yaml/README.html#git-submodule-strategy
- https://gitlab.com/gitlab-org/gitlab/-/issues/208770
- https://git-scm.com/docs/gitcredentials
- https://git-scm.com/docs/git-credential-store
- https://git-scm.com/docs/git-credential
这篇关于如何传递凭据以在 Gitlab CI 脚本中提取子模块?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!