-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use with CI_JOB_TOKEN #4
Comments
Not yet supported, but on the list https://github.com/bufferoverflow/verdaccio-gitlab/blob/master/README.md#todo |
combine somehow with |
As the ToDo list has been removed from the README I like to know if this feature is still planned? I currently trying to automate the publishing through gitlab-ci and the general workaround would be to login locally and copy the auth-token from .npmrc. however, as we have a huge number of packages hard-linking them to one account is unpractical, time-consuming and error-prone if member/group permissions change. It would be great to have gitlab-ci-token/$CI_JOB_TOKEN to work out of the box using |
Yes, this is a must have feature. I just have no time at the moment to implement or at least identify required upstream changes within gitlab... so any kind of contribution is welcome! |
@Flauschbaellchen I'm using verdaccio-gitlab-ci for this in addition to verdaccio-gitlab. I only had to configure verdaccio-gitlab-ci before verdaccio-gitlab in the auth section. For npm-cli-login I'm doing then this:
|
@spangenberg I'd suggest add it to the list of plugins for more visibility https://github.com/verdaccio/verdaccio/blob/master/docs/plugins.md#authorization-plugins |
I will also add some documentation for this in the verdaccio-gitlab readme, so we close the circle |
I have been reading the source code of this verdaccio-gitlab-ci plugin and it's quite small, I think we could integrate this functionality into verdaccio-gitlab if the author is ok with it. The main difference at the moment is that verdaccio-gitlab is depending on personal access tokens for authentication, and the gitlab-ci-token plugin seems to depend somehow on the oauth2 flow, although I haven't found any gitlab official documentation for the auth endpoint used in there:
@spangenberg I still haven't tested it but I assume that you had to configure the gitlab url twice in your verdaccio configuration file, once for each gitlab plugin, isn't it? That would be a direct benefit of integrating this functionality. I don't think there's currently any way to avoid having to login to npm at the beginning of the gitlab-ci job, much as the same is needed for docker login. |
It's probably not going to be that easy. Relevant tickets in gitlab: |
Hello, this seems to have stalled for a while, so I would like to input some information as I would also like to see job tokens being supported as a way of authentication. node-gitlab is being used to talk to the GitLab API, which currently does not have any directly implemented/documented support for Job Tokens, only for OAuth and Private Access Tokens. So in order to implement this cleanly, firstly, there needs to be a patch for supporting job tokens there. There is a dirty workaround to enforce Job Token authentication through node-gitlab by overriding the headers set internally (see patch linked at the bottom). Secondly there needs to be a way for NPM to supply login credentials in a way that verdaccio-gitlab can detect the supplied password as Job Tokens, not as Private Access Tokens. I thought of two ideas so far:
Using Job Tokens will not identify a user, as such the currently implemented username equality check needs to be skipped for Job Token authentication. I made a quick and dirty patch to try out the effects of using a Job Token with verdaccio-gitlab. With this patch logging in via NPM, via the website and installing packages works for me at least. I did not test publishing packages however yet. EDIT: I opened an issue at node-gitlab to support Job Tokens. |
Now waiting on a new release for node-gitlab as the changes there have been merged to master. |
node-gitlab v4.4.1 has been tagged, I am going to try and send in a pull request to run verdaccio-gitlab against this version asap. |
Can't wait! Will be an awesome addition. |
Hello, just a little update as I finally got to testing package publishing. The current patches I sent in here are in fact not sufficient to allow for the CI login to be able to publish packages. Reason is that verdaccio-gitlab only checks for GitLab groups a user is assigned to and compares them against the parts of which the package name to publish is made of (so for I respectively added this functionality to my patch set and I will start drafting a pull request with this in the coming days. |
Is there a distinction between having the Gitlab CI be able to publish packages to a verdaccio instance and having the CI/CD tool pull from private verdaccio registry (authenticated publishing vs authenticated pulling)? Is this PR (not quite a PR, but the gist mentioned by @icedream) required for both? |
Thank's to @spangenberg i got it! # Verdaccio config.yml
auth:
htpasswd: # optional
file: /verdaccio/htpasswd
max_users: -1
gitlab-ci: # have to be before `gitlab`
url: https://your.gitlab
gitlab:
url: https://your.gitlab # Verdaccio Dockerfile
FROM verdaccio/verdaccio
USER root
# -- Plugins --
# Have to be before ENV=production
# Note: no not use verdaccio-memory. It prevents any persitance for published packages
RUN npm i verdaccio-gitlab-ci
RUN npm i verdaccio-gitlab
# -- Plugins end --
ENV NODE_ENV=production
RUN npm i --no-audit --no-package-lock
COPY config.yaml /verdaccio/conf/
USER verdaccio
EXPOSE 4873 # .gitlab-ci.yml from npm module repo
publish:
image: node:12-alpine
stage: deploy
before_script:
- npm i npm-cli-login
- npx npm-cli-login -u gitlab-ci-token -p "$CI_JOB_TOKEN" -r https://your.verdaccio -e "nobody@your.company" --config-path "$PWD/.npmrc"
script:
- npm publish |
Is it possible to login to verdaccio with the
gitlab-ci-token
user and the$CI_JOB_TOKEN
env var during CI builds?The text was updated successfully, but these errors were encountered: