Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using ssh to push the new tags. #784

Open
Teles1 opened this issue Oct 23, 2024 · 5 comments
Open

Using ssh to push the new tags. #784

Teles1 opened this issue Oct 23, 2024 · 5 comments

Comments

@Teles1
Copy link

Teles1 commented Oct 23, 2024

I'm a free user of gitlab.com therefore I don't have access to project/namespace tokens and since I intend on protecting my master branch from being pushed directly I have to resort into deployment tokens.
Steps:

  1. I created a ssh key
  2. encoded with base64
  3. create a file variable with the new encoded base64 string
  4. adjusted my pipeline to first decode the base64 string from the file and write the private key to ~/.ssh/id_rsa
  5. from the key above generated the pub key
  6. changed the remote origin from https:// to [email protected]
  7. ran git ls-remote to ensure that the key worked.
  8. in my local environment I used the same key above to push to my protected branch and it works like a charm. As well as to create tags

I have a token set for different pipelines and it still throws the error bellow. My assumption is that the code is checking the origin url and looking for that token? In this case, since I'm using ssh it shouldn't require a token should it for the release creation it would make sense to require that but not for creating the tag itself

If my approach is completely wrong how do I approach this problem without having to keep my master branch open

$ npx semantic-release
[1:29:35 PM] [semantic-release] › ℹ  Running semantic-release version 23.1.1
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/changelog"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/changelog"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "success" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "success" from "./custom-discord-notifier.js"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "fail" from "@semantic-release/gitlab"
[1:29:46 PM] [semantic-release] › ✔  Run automated release from branch next on repository [email protected]:redactedDev/redacted-client-26.git
[1:29:47 PM] [semantic-release] › ✔  Allowed to push to the Git repository
[1:29:47 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/changelog"
[1:29:47 PM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/changelog"
[1:29:47 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  Failed step "verifyConditions" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ℹ  Start step "fail" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  Failed step "fail" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  ENOGLTOKEN No GitLab token specified.
A GitLab personal access token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment.
Please make sure to create a GitLab personal access token (https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment. The token must allow to push to the repository [email protected] (mailto:[email protected]):redacted/redacted.git.
[1:29:47 PM] [semantic-release] › ✘  ENOGLTOKEN No GitLab token specified.
A GitLab personal access token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment.
Please make sure to create a GitLab personal access token (https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment. The token must allow to push to the repository [email protected] (mailto:[email protected]):redactedDev/redacted-client-26.git.
AggregateError: 
    SemanticReleaseError: No GitLab token specified.
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/get-error.js:6:10)
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/verify.js:54:17)
        at verifyConditions (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/index.js:11:9)
        at validator (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/normalize.js:36:30)
        at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:38:42
        at next (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/node_modules/p-reduce/index.js:16:10)
    at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
    at async pluginsConfigAccumulator.<computed> [as verifyConditions] (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/index.js:87:11)
    at async run (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/index.js:106:3)
    at async Module.default (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/index.js:278:22)
    at async default (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/cli.js:55:5) {
  errors: [
    SemanticReleaseError: No GitLab token specified.
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/get-error.js:6:10)
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/verify.js:54:17)
        at verifyConditions (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/index.js:11:9)
        at validator (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/normalize.js:36:30)
        at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:38:42
        at next (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/node_modules/p-reduce/index.js:16:10) {
      code: 'ENOGLTOKEN',
      details: 'A [GitLab personal access token](https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the `GL_TOKEN` or `GITLAB_TOKEN` environment variable on your CI environment.\n' +
        '\n' +
        'Please make sure to create a [GitLab personal access token](https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the `GL_TOKEN` or `GITLAB_TOKEN` environment variable on your CI environment. The token must allow to push to the repository [email protected]:redactedDev/redacted-client-26.git.',
      semanticRelease: true,
      pluginName: '@semantic-release/gitlab'
    }
  ]
}
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit code 1
variables:
  project_name: "${CI_PROJECT_TITLE}"
  SEMANTIC_RELEASE_PACKAGE: "${project_name}"
  GIT_SUBMODULE_STRATEGY: normal
  GIT_DEPTH: 0 # Disable shallow cloning for full history
  GIT_SUBMODULE_DEPTH: 0

stages:
  - semantic_release

semantic_release:
  stage: semantic_release
  image: node:lts
  variables:
    # Define GIT_SSH_COMMAND to use the specified SSH key and settings
    GIT_SSH_COMMAND: "ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new"
  before_script:
    # 1. Create the .ssh directory
    - mkdir -p ~/.ssh
    # 2. Decode the Base64-encoded SSH key and save it to ~/.ssh/id_rsa
    - cat "$DEPLOY_SSH_KEY64" | base64 -d > ~/.ssh/id_rsa
    # 3. Generate .pub from our new private key
    - ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
    # 4. Set the correct permissions for the SSH key
    - chmod 600 ~/.ssh/id_rsa
    # 5. Add GitLab to known_hosts to prevent host verification prompts
    - ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
    # 6. Update the Git remote URL to use SSH instead of HTTPS
    - git remote set-url origin "[email protected]:${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}.git"
    # 7. (Optional) Verify that the remote URL has been updated
    - git remote -v
  script:
    - export GIT_SSH_COMMAND="ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new"
    - npm install semantic-release @semantic-release/changelog @semantic-release/commit-analyzer @semantic-release/gitlab @semantic-release/npm @semantic-release/release-notes-generator conventional-changelog-conventionalcommits axios
    - npx semantic-release
  #dependencies:
  #  - build
  #  - hash_job
  #  - collect_and_symstore_job
@Teles1
Copy link
Author

Teles1 commented Oct 23, 2024

I found a similar issue #377 and the response is unfortunately sad.

Is there any other way that I could do this with an ssh token? Is the gitlab plugin using their api to also create the tags?

@fgreinacher
Copy link
Contributor

@fgreinacher
Copy link
Contributor

fgreinacher commented Oct 23, 2024

We need API access for multiple features, e.g. creating issue comments, finding related MRs, uploading assets, or creating issues for failed publish operations.

Therefore it does not really make sense to use this plugin without a proper token.

At some point we will hopefully be able to support job tokens, see #156.

@Teles1
Copy link
Author

Teles1 commented Oct 23, 2024

Gotcha. Thanks for getting back to me this quickly btw.
In this case then I'm assuming that my best bet is going full custom then? Is there a way to create tags only using the ssh hack?
I don't realllyyy need the release trigger, I can live without it. What would really suck is not having access to the tags + versioning

@fgreinacher
Copy link
Contributor

The tag is created by semantic-release core, see https://github.com/semantic-release/semantic-release/blob/master/index.js#L208. So it should work if you don't use the gitlab plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants