You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Gitlab CI does not allow to push via token, which may be useful for multiple purposes. The feature request is now open for 2 years, and still requires a design decision on the gitlab side AFAIK.
A possible workaround is to make access credentials available to CI. This can be done in multiple ways, but I think the easiest is to use http access via a token.
If a regular user wants to set up CI in this way, we're limited to store the user's API token in the repository variables. This comes with the risk of exposing all the user's access to gitlab.
On the other hand, an admin has a much better option: they may create a dedicated user, mark it as external (to limit the scope of what that user can do), mark the user's account as private, add the user to the repository as developer, and add the bot user impersonation token to the repository variables.
Then if the users wanted to give that bot access to another repository (e.g. a dependency), they may give the bot the corresponding permissions.
Further, this could be used in combination with gitlab's system hooks for repository creation and deletion to make creation of such bot users automatic.
The text was updated successfully, but these errors were encountered:
Gitlab CI does not allow to push via token, which may be useful for multiple purposes. The feature request is now open for 2 years, and still requires a design decision on the gitlab side AFAIK.
A possible workaround is to make access credentials available to CI. This can be done in multiple ways, but I think the easiest is to use http access via a token.
If a regular user wants to set up CI in this way, we're limited to store the user's API token in the repository variables. This comes with the risk of exposing all the user's access to gitlab.
On the other hand, an admin has a much better option: they may create a dedicated user, mark it as external (to limit the scope of what that user can do), mark the user's account as private, add the user to the repository as developer, and add the bot user impersonation token to the repository variables.
Then if the users wanted to give that bot access to another repository (e.g. a dependency), they may give the bot the corresponding permissions.
Further, this could be used in combination with gitlab's system hooks for repository creation and deletion to make creation of such bot users automatic.
The text was updated successfully, but these errors were encountered: