问题
What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be to get access using $CI_JOB_TOKEN since it is more secure and restricted. I am looking into if it can be done this way -
include 'https://gitlab-ci-token:${CI_JOB_TOKEN}@raw-file-url'
I have tried to curl in this format in a dummy script job, but it fails to fetch the file.
Apparently, an external script can be imported using file API and $CI_JOB_TOKEN (https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346/diffs), but I am looking into if include feature also support this. Any suggestion on how to achieve that is appreciated.
回答1:
Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:
- Authenticate with the GitLab Container (Docker) Registry
- Authenticate to trigger a multi-project pipeline (EE only)
References:
- https://docs.gitlab.com/ce/ci/variables/
- https://docs.gitlab.com/ee/ci/variables/
So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.
Unfortunately, deploy keys don't help either -- they are only for SSH.
The only workable solution I've come up with is to use a separate user:
- Create a new user with
Reporterrole. - Create a personal access token (
/profile/personal_access_tokens) for that user with api and read_repository rights. - Add this token as a secret variable in the project CI/CD settings. Call it e.g.
BUILD_USER_TOKEN. - Use
$BUILD_USER_TOKENin your CI script to access the API or project files.
This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.
来源:https://stackoverflow.com/questions/50876136/including-private-project-file-using-ci-job-token