From d4ef4167374f63dfa63edc348e66fc30216d5acb Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 21:12:14 +0800 Subject: [PATCH 1/8] ci: unify PAT as token in GitLab CI/CD --- .gitlab/workflows/renovate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml index 7d34b355..38ddc206 100644 --- a/.gitlab/workflows/renovate.yml +++ b/.gitlab/workflows/renovate.yml @@ -5,7 +5,7 @@ renovate: - renovate/cache/renovate/repository/ image: renovate/renovate:37.356.1-full@sha256:e54b1093f2a751b4ac94988279d2621f068e79c77227d9654165a06ae3d50ad3 rules: - - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null + - if: $CI_PIPELINE_SOURCE == "schedule" script: renovate $RENOVATE_EXTRA_FLAG stage: build variables: @@ -22,3 +22,4 @@ renovate: RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' RENOVATE_REPOSITORY_CACHE: enabled RENOVATE_SEMANTIC_COMMIT_TYPE: build + RENOVATE_TOKEN: $PAT || $CI_JOB_TOKEN From e64b29f37a5e0649c4a56f607f5cfa4cf4897555 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 21:20:15 +0800 Subject: [PATCH 2/8] fix renovate token --- .gitlab/workflows/renovate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml index 38ddc206..8c96fa8f 100644 --- a/.gitlab/workflows/renovate.yml +++ b/.gitlab/workflows/renovate.yml @@ -5,7 +5,7 @@ renovate: - renovate/cache/renovate/repository/ image: renovate/renovate:37.356.1-full@sha256:e54b1093f2a751b4ac94988279d2621f068e79c77227d9654165a06ae3d50ad3 rules: - - if: $CI_PIPELINE_SOURCE == "schedule" + - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null script: renovate $RENOVATE_EXTRA_FLAG stage: build variables: @@ -22,4 +22,4 @@ renovate: RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' RENOVATE_REPOSITORY_CACHE: enabled RENOVATE_SEMANTIC_COMMIT_TYPE: build - RENOVATE_TOKEN: $PAT || $CI_JOB_TOKEN + RENOVATE_TOKEN: $PAT From d8e7d0889bd7312bfea7e9bddb809bcf24766d62 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 22:11:42 +0800 Subject: [PATCH 3/8] test renovate git author --- .gitlab/workflows/renovate.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml index 8c96fa8f..851a7eea 100644 --- a/.gitlab/workflows/renovate.yml +++ b/.gitlab/workflows/renovate.yml @@ -16,7 +16,6 @@ renovate: RENOVATE_BRANCH_PREFIX: renovate-gitlab/ RENOVATE_ENABLED_MANAGERS: '["pep621", "gitlabci", "regex", "pre-commit"]' RENOVATE_ENDPOINT: $CI_API_V4_URL - RENOVATE_GIT_AUTHOR: Renovate GitLab Bot RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' RENOVATE_PLATFORM: gitlab RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' From ce3fbd90e894691a09f154d7eef13e0127d8c746 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 22:42:17 +0800 Subject: [PATCH 4/8] update template --- .../workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml b/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml index 7d34b355..851a7eea 100644 --- a/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml +++ b/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml @@ -16,9 +16,9 @@ renovate: RENOVATE_BRANCH_PREFIX: renovate-gitlab/ RENOVATE_ENABLED_MANAGERS: '["pep621", "gitlabci", "regex", "pre-commit"]' RENOVATE_ENDPOINT: $CI_API_V4_URL - RENOVATE_GIT_AUTHOR: Renovate GitLab Bot RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' RENOVATE_PLATFORM: gitlab RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' RENOVATE_REPOSITORY_CACHE: enabled RENOVATE_SEMANTIC_COMMIT_TYPE: build + RENOVATE_TOKEN: $PAT From c51a3384a1b92615b8393e9f1389d8d973aaf90d Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 22:48:44 +0800 Subject: [PATCH 5/8] fix: test semantic-release with PAT --- .gitlab/workflows/ci.yml | 5 ++++- package.json | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.gitlab/workflows/ci.yml b/.gitlab/workflows/ci.yml index 7b92aef9..bf3ce991 100644 --- a/.gitlab/workflows/ci.yml +++ b/.gitlab/workflows/ci.yml @@ -33,6 +33,7 @@ consistency: interruptible: true rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" + allow_failure: true - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - git config --global user.name gitlab-ci @@ -48,7 +49,7 @@ semantic-release: name: node:20.13.1 interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "serious-scaffold" && $CI_PROJECT_NAME == "ss-python" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "huxuan8528" && $CI_PROJECT_NAME == "ss-python" && $GITLAB_TOKEN != null script: - > npx @@ -57,3 +58,5 @@ semantic-release: -p semantic-release@23 semantic-release stage: release + variables: + GITLAB_TOKEN: $PAT diff --git a/package.json b/package.json index 71a24212..b3070a97 100644 --- a/package.json +++ b/package.json @@ -5,6 +5,9 @@ ] }, "release": { + "branches": [ + "xuan.hu/gitlab-token" + ], "plugins": [ [ "@semantic-release/commit-analyzer", @@ -118,7 +121,7 @@ } } ], - "@semantic-release/github" + "@semantic-release/gitlab" ], "preset": "conventionalcommits" } From 4219dbfb4892da3d98d90b6bfe03d1dbba416c4e Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 23:17:24 +0800 Subject: [PATCH 6/8] fix --- .gitlab/workflows/ci.yml | 3 +-- package.json | 5 +---- .../workflows/ci.yml.jinja | 4 +++- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.gitlab/workflows/ci.yml b/.gitlab/workflows/ci.yml index bf3ce991..cb5cacbd 100644 --- a/.gitlab/workflows/ci.yml +++ b/.gitlab/workflows/ci.yml @@ -33,7 +33,6 @@ consistency: interruptible: true rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - allow_failure: true - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - git config --global user.name gitlab-ci @@ -49,7 +48,7 @@ semantic-release: name: node:20.13.1 interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "huxuan8528" && $CI_PROJECT_NAME == "ss-python" && $GITLAB_TOKEN != null + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "serious-scaffold" && $CI_PROJECT_NAME == "ss-python" && $GITLAB_TOKEN != null script: - > npx diff --git a/package.json b/package.json index b3070a97..71a24212 100644 --- a/package.json +++ b/package.json @@ -5,9 +5,6 @@ ] }, "release": { - "branches": [ - "xuan.hu/gitlab-token" - ], "plugins": [ [ "@semantic-release/commit-analyzer", @@ -121,7 +118,7 @@ } } ], - "@semantic-release/gitlab" + "@semantic-release/github" ], "preset": "conventionalcommits" } diff --git a/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja b/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja index 7d55494c..39fca9a6 100644 --- a/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja +++ b/template/[% if repo_platform == 'gitlab' or repo_platform == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja @@ -61,7 +61,7 @@ semantic-release: name: node:20.13.1 interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "{{ repo_namespace }}" && $CI_PROJECT_NAME == "{{ repo_name }}" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_PROJECT_NAMESPACE == "{{ repo_namespace }}" && $CI_PROJECT_NAME == "{{ repo_name }}" && $GITLAB_TOKEN != null script: - > npx @@ -70,3 +70,5 @@ semantic-release: -p semantic-release@23 semantic-release stage: release + variables: + GITLAB_TOKEN: $PAT From ad29e33ad8f71a4096ace3022e5e746f6488e1c0 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 23:22:54 +0800 Subject: [PATCH 7/8] update doc --- docs/management/config.md | 4 ++-- template/docs/management/config.md.jinja | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/management/config.md b/docs/management/config.md index 6514bb7d..daf30c89 100644 --- a/docs/management/config.md +++ b/docs/management/config.md @@ -73,12 +73,12 @@ You can set the scope of the variables and secrets to **Repository** or **Organi 1. Set the variable `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package, default to `https://pypi.org`, the official PyPI. 1. Set the variable `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index), default to `__token__`, used for [API token](https://pypi.org/help/#apitoken). 1. Set the variable `PDM_PUBLISH_PASSWORD` with the **Mask variable** option for security, the password to authenticate to the repository (package index). -1. Renovate authentication: +1. Renovate & semantic-release authentication: Either [Group access tokens](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html), [Project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [Personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) can be used. The group or project access tokens are more recommended to avoid the issues and merge requests tied to particular user. 1. Create a [group access token](https://gitlab.com/groups/serious-scaffold/-/settings/access_tokens), [project access token](https://gitlab.com/serious-scaffold/ss-python/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `api, write_repository` scope. - 1. Navigate to the [CI/CD](https://gitlab.com/serious-scaffold/ss-python/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `RENOVATE_TOKEN` with the **Mask variable** option for security. + 1. Navigate to the [CI/CD](https://gitlab.com/serious-scaffold/ss-python/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `PAT` with the **Mask variable** option for security. 1. Navigate to the [Pipeline schedules](https://gitlab.com/serious-scaffold/ss-python/-/pipeline_schedules). Create a new schedule with `*/15 0-3 * * 1` as **Interval Pattern** and mark it as **Activated**. ```{note} diff --git a/template/docs/management/config.md.jinja b/template/docs/management/config.md.jinja index dfbdd268..6027b36c 100644 --- a/template/docs/management/config.md.jinja +++ b/template/docs/management/config.md.jinja @@ -73,12 +73,12 @@ You can set the scope of the variables and secrets to **Repository** or **Organi 1. Set the variable `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package, default to `https://pypi.org`, the official PyPI. 1. Set the variable `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index), default to `__token__`, used for [API token](https://pypi.org/help/#apitoken). 1. Set the variable `PDM_PUBLISH_PASSWORD` with the **Mask variable** option for security, the password to authenticate to the repository (package index). -1. Renovate authentication: +1. Renovate & semantic-release authentication: Either [Group access tokens](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html), [Project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [Personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) can be used. The group or project access tokens are more recommended to avoid the issues and merge requests tied to particular user. 1. Create a [group access token](https://gitlab.com/groups/{{ repo_namespace }}/-/settings/access_tokens), [project access token](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `api, write_repository` scope. - 1. Navigate to the [CI/CD](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `RENOVATE_TOKEN` with the **Mask variable** option for security. + 1. Navigate to the [CI/CD](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `PAT` with the **Mask variable** option for security. 1. Navigate to the [Pipeline schedules](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/pipeline_schedules). Create a new schedule with `*/15 0-3 * * 1` as **Interval Pattern** and mark it as **Activated**. ```{note} From b0a6ecd7a79e8cd8a3802613f199e6a60315ea97 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sun, 19 May 2024 08:15:24 +0800 Subject: [PATCH 8/8] update docs about maintainer role --- docs/management/config.md | 2 +- template/docs/management/config.md.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/config.md b/docs/management/config.md index daf30c89..7b8ad978 100644 --- a/docs/management/config.md +++ b/docs/management/config.md @@ -77,7 +77,7 @@ You can set the scope of the variables and secrets to **Repository** or **Organi Either [Group access tokens](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html), [Project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [Personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) can be used. The group or project access tokens are more recommended to avoid the issues and merge requests tied to particular user. - 1. Create a [group access token](https://gitlab.com/groups/serious-scaffold/-/settings/access_tokens), [project access token](https://gitlab.com/serious-scaffold/ss-python/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `api, write_repository` scope. + 1. Create a [group access token](https://gitlab.com/groups/serious-scaffold/-/settings/access_tokens), [project access token](https://gitlab.com/serious-scaffold/ss-python/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `Maintainer` role and `api, write_repository` scope. 1. Navigate to the [CI/CD](https://gitlab.com/serious-scaffold/ss-python/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `PAT` with the **Mask variable** option for security. 1. Navigate to the [Pipeline schedules](https://gitlab.com/serious-scaffold/ss-python/-/pipeline_schedules). Create a new schedule with `*/15 0-3 * * 1` as **Interval Pattern** and mark it as **Activated**. diff --git a/template/docs/management/config.md.jinja b/template/docs/management/config.md.jinja index 6027b36c..6e4eb45c 100644 --- a/template/docs/management/config.md.jinja +++ b/template/docs/management/config.md.jinja @@ -77,7 +77,7 @@ You can set the scope of the variables and secrets to **Repository** or **Organi Either [Group access tokens](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html), [Project access tokens](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [Personal access tokens](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) can be used. The group or project access tokens are more recommended to avoid the issues and merge requests tied to particular user. - 1. Create a [group access token](https://gitlab.com/groups/{{ repo_namespace }}/-/settings/access_tokens), [project access token](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `api, write_repository` scope. + 1. Create a [group access token](https://gitlab.com/groups/{{ repo_namespace }}/-/settings/access_tokens), [project access token](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/access_tokens) or [personal access token](https://gitlab.com/-/user_settings/personal_access_tokens) with `Maintainer` role and `api, write_repository` scope. 1. Navigate to the [CI/CD](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/settings/ci_cd) settings and the **Variables** section. Set the token as variable `PAT` with the **Mask variable** option for security. 1. Navigate to the [Pipeline schedules](https://gitlab.com/{{ repo_namespace }}/{{ repo_name }}/-/pipeline_schedules). Create a new schedule with `*/15 0-3 * * 1` as **Interval Pattern** and mark it as **Activated**.