0

I've got a project involving multiple GitLab users, all at ownership level. I've got a gitlab-ci.yml file that creates a new tag and pushes the new tag to the repository. This was set up using a deploy key and ssh. The problem is, no matter who actually triggers the job, the same user is always listed as the triggerer, which causes some traceability problems.

Currently, the .yml looks something like this, taken from this link:

 before_script:
    - echo "$SSH_PRIVATE_KEY_TOOLKIT" | tr -d '\r' | ssh-add - > /dev/null

    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh

    - ssh-keyscan $GITLAB_URL >> ~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts

    - git config --global user.email $GITLAB_USER_EMAIL
    - git config --global user.name $GITLAB_USER_NAME

Where $SSH_PRIVATE_KEY_TOOLKIT is generated as suggested in the link.

Alex K
  • 129
  • 6

1 Answers1

0

! For just creating a tag, an api call would be way easier using the tags api. as the JOB TOKEN should also normally have enough permissions to do this, this would always be assigned to the executor of the job/pipeline. (untested does not work) https://docs.gitlab.com/ee/api/tags.html#create-a-new-tag curl --request POST --header "JOB-TOKEN: $CI_JOB_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/tags?tag_name=<tag>&ref=$CI_COMMIT_SHA"

You can always fallback to create releases with the release API, which also results in an Git Tag. https://docs.gitlab.com/ee/api/releases/index.html#create-a-release

curl --request POST --header "JOB-TOKEN: $CI_JOB_TOKEN" 
 --data '{ "name": "New release", "ref":"$CI_COMMIT_SHA", tag_name": "<TAG>", "description": "Super nice release"}'
"$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"

or using the the GitLab CI release directives https://docs.gitlab.com/ee/ci/yaml/index.html#release

release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    - if: $TAG                  # Run this job when a tag is created manually
  script:
    - echo 'running release_job'
  release:
    name: 'Release $TAG'
    description: 'Created using the release-cli $EXTRA_DESCRIPTION'  # $EXTRA_DESCRIPTION must be defined
    tag_name: '$TAG'                                       # elsewhere in the pipeline.
    ref: '$TAG'
Simon Schrottner
  • 4,146
  • 1
  • 24
  • 36