如何传递凭据以在 Gitlab CI 脚本中提取子模块? [英] How do I pass credentials to pull a submodule in a Gitlab CI script?

问题描述

我有几个项目，每个项目都在自己的存储库中，它们导入一个公共库，该库也有自己的存储库.因此，.gitmodules 文件包含具有全名的库:

I have several projects, each in their own repository, that import a common library which has its own repository as well. So, the .gitmodules file includes the library with the full name:

Submodule 'xx/yy' (https://gitlab.com/xx/yy.git) registered for path 'xx/yy'

但这不起作用:

Fatal: could not read Username for 'https://gitlab.com': No such device or address

CI 脚本非常简单:

image: mcr.microsoft.com/dotnet/core/sdk:3.0.100-preview9-alpine3.9

variables:
  GIT_SUBMODULE_STRATEGY: recursive

stages:
    - build

before_script:
    - "cd xx"
    - "dotnet restore"

build:
    stage: build
    script:
      - "cd xx"
      - "dotnet build"

旧的答案是:GitLab 拉取 CI 内的子模块

但是事情已经发生了变化，根据文档，我们可以拥有没有相对路径的子模块，如下所示:https://docs.gitlab.com/ce/ci/git_submodules.html

but things have changed and we can, according to the docs, have submodules that don't have a relative path, as written here: https://docs.gitlab.com/ce/ci/git_submodules.html

推荐答案

tldr;像这样:

# .gitlab-ci.yml

stages:
  - build

job1:
  stage: build
  before_script:
    - git config --global credential.helper store
    - git config --global credential.useHttpPath true
    - |
        git credential approve <<EOF
        protocol=https
        host=gitlab.com
        path=my-group/my-submodule-repo.git
        username=${CI_DEPENDENCY_PROXY_USER}
        password=${CI_DEPENDENCY_PROXY_PASSWORD}
        EOF
    - git submodule update --init --recursive

  script:
    - echo "Let's start the build..."

说明

stages: - build 和 job1:stage: build 声明是样板文件——它们通知 gitlab ci 机器存在一个阶段(名为 build) 和一份属于"的工作；到这个阶段.

Explanation

The stages: - build and job1: stage: build declarations are boilerplate --- they inform the gitlab ci machinery that there exists one stage (named build) and one job that "belongs" to this stage.

before_script 部分详细说明了需要在工作早期发生的事情 --- 其下的所有内容都必须在 script 开始之前完成.

The before_script part details things that need to happen early in the job --- everything thereunder must complete before script is started.

git config --global credentials.helper 告诉 git 使用名为store"的凭证助手.默认情况下，这是一个位于 ~/.git-credentials 的明文文件，其中包含以换行符分隔的用户名-密码装饰的 URI，每个 URI 对应于用户添加的给定 git 远程.

The git config --global credentials.helper tells git to use the credentials helper named "store". By default, this is a cleartext file located at ~/.git-credentials containing newline-delimited username-password-decorated URIs, each corresponding to a given git remote added by the user.

git config --global credentials.useHttpPath 告诉 git 在任何调用(显式或其他方式)时不要忽略 path 属性git 凭证.这不是绝对必要的，而是一种很好的做法，例如，当您在同一个 host 上有多个 git 遥控器时.

The git config --global credentials.useHttpPath tells git not to ignore the path attribute for any call (explicit or otherwise) to git credential. This is not strictly necessary, but rather good practice when, for example, you have multiple git remotes on the same host.

git credential approve 读取标准输入(表示为heredoc)并将给定的凭证传递给credential.helper，即store, 被写入 ~/.git-credentials.

The git credential approve reads standard input (expressed as a heredoc) and passes the given credential to the credential.helper, namely store, to be written into ~/.git-credentials.

git submodule update --init --recursive 使用 .gitmodules 引用的内容填充现有(但尚未完成)超级项目工作树.

The git submodule update --init --recursive populates the existing (but as yet incomplete) superproject worktree with the content referenced by .gitmodules.

上述示例做了以下假设:

This aforementioned example makes the following assumptions:

• 超级项目 .gitmodules 包含对远程子模块 https://gitlab.com/my-group/my-submodule-repo.git 的引用..李>
• git 子模块远程是私有的；即，访问它需要用户名和密码形式的凭据(gitlab 用语中的个人访问令牌")
• 您希望使用此处描述的 Gitlab CI 依赖代理凭据向此远程进行身份验证:https://about.gitlab.com/blog/2020/12/15/dependency-proxy-updates/ .
• 您不想要重写 .gitmodules 以使用此处建议的相对 URL:https://docs.gitlab.com/ee/ci/git_submodules.html#configure-the-gitmodules-file .

• The superproject .gitmodules contains a reference to the submodule remote https://gitlab.com/my-group/my-submodule-repo.git.
• The git submodule remote is private; i.e., access thereto requires credentials in the form of a username and password ("personal access token" in gitlab parlance)
• You want to authenticate to this remote using the Gitlab CI Dependency Proxy credentials described here: https://about.gitlab.com/blog/2020/12/15/dependency-proxy-updates/ .
• You don't want to re-write the .gitmodules to use relative URLs as suggested here: https://docs.gitlab.com/ee/ci/git_submodules.html#configure-the-gitmodules-file .

• https://docs.gitlab.com/ee/ci/yaml/#before_script
• https:///docs.gitlab.com/ee/ci/git_submodules.html#using-git-submodules-in-your-ci-jobs
• https://docs.gitlab.com/ee/ci/yaml/README.html#git-submodule-strategy
• https://gitlab.com/gitlab-org/gitlab/-/issues/208770
• https://git-scm.com/docs/gitcredentials
• https://git-scm.com/docs/git-credential-store
• https://git-scm.com/docs/git-credential

这篇关于如何传递凭据以在 Gitlab CI 脚本中提取子模块?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！