Use with CI_JOB_TOKEN #4
Comments
|
Not yet supported, but on the list https://github.com/bufferoverflow/verdaccio-gitlab/blob/master/README.md#todo |
|
combine somehow with |
|
As the ToDo list has been removed from the README I like to know if this feature is still planned? I currently trying to automate the publishing through gitlab-ci and the general workaround would be to login locally and copy the auth-token from .npmrc. however, as we have a huge number of packages hard-linking them to one account is unpractical, time-consuming and error-prone if member/group permissions change. It would be great to have gitlab-ci-token/$CI_JOB_TOKEN to work out of the box using |
|
Yes, this is a must have feature. I just have no time at the moment to implement or at least identify required upstream changes within gitlab... so any kind of contribution is welcome! |
|
@Flauschbaellchen I'm using verdaccio-gitlab-ci for this in addition to verdaccio-gitlab. I only had to configure verdaccio-gitlab-ci before verdaccio-gitlab in the auth section. For npm-cli-login I'm doing then this: |
|
@spangenberg I'd suggest add it to the list of plugins for more visibility https://github.com/verdaccio/verdaccio/blob/master/docs/plugins.md#authorization-plugins |
|
I will also add some documentation for this in the verdaccio-gitlab readme, so we close the circle |
|
I have been reading the source code of this verdaccio-gitlab-ci plugin and it's quite small, I think we could integrate this functionality into verdaccio-gitlab if the author is ok with it. The main difference at the moment is that verdaccio-gitlab is depending on personal access tokens for authentication, and the gitlab-ci-token plugin seems to depend somehow on the oauth2 flow, although I haven't found any gitlab official documentation for the auth endpoint used in there:
@spangenberg I still haven't tested it but I assume that you had to configure the gitlab url twice in your verdaccio configuration file, once for each gitlab plugin, isn't it? That would be a direct benefit of integrating this functionality. I don't think there's currently any way to avoid having to login to npm at the beginning of the gitlab-ci job, much as the same is needed for docker login. |
|
It's probably not going to be that easy. Relevant tickets in gitlab: |
|
Hello, this seems to have stalled for a while, so I would like to input some information as I would also like to see job tokens being supported as a way of authentication. node-gitlab is being used to talk to the GitLab API, which currently does not have any directly implemented/documented support for Job Tokens, only for OAuth and Private Access Tokens. So in order to implement this cleanly, firstly, there needs to be a patch for supporting job tokens there. There is a dirty workaround to enforce Job Token authentication through node-gitlab by overriding the headers set internally (see patch linked at the bottom). Secondly there needs to be a way for NPM to supply login credentials in a way that verdaccio-gitlab can detect the supplied password as Job Tokens, not as Private Access Tokens. I thought of two ideas so far:
Using Job Tokens will not identify a user, as such the currently implemented username equality check needs to be skipped for Job Token authentication. I made a quick and dirty patch to try out the effects of using a Job Token with verdaccio-gitlab. With this patch logging in via NPM, via the website and installing packages works for me at least. I did not test publishing packages however yet. EDIT: I opened an issue at node-gitlab to support Job Tokens. |
|
Now waiting on a new release for node-gitlab as the changes there have been merged to master. |
|
node-gitlab v4.4.1 has been tagged, I am going to try and send in a pull request to run verdaccio-gitlab against this version asap. |
Can't wait! Will be an awesome addition. |
|
Hello, just a little update as I finally got to testing package publishing. The current patches I sent in here are in fact not sufficient to allow for the CI login to be able to publish packages. Reason is that verdaccio-gitlab only checks for GitLab groups a user is assigned to and compares them against the parts of which the package name to publish is made of (so for I respectively added this functionality to my patch set and I will start drafting a pull request with this in the coming days. |
|
Is there a distinction between having the Gitlab CI be able to publish packages to a verdaccio instance and having the CI/CD tool pull from private verdaccio registry (authenticated publishing vs authenticated pulling)? Is this PR (not quite a PR, but the gist mentioned by @icedream) required for both? |
|
Thank's to @spangenberg i got it! # Verdaccio config.yml
auth:
htpasswd: # optional
file: /verdaccio/htpasswd
max_users: -1
gitlab-ci: # have to be before `gitlab`
url: https://your.gitlab
gitlab:
url: https://your.gitlab# Verdaccio Dockerfile
FROM verdaccio/verdaccio
USER root
# -- Plugins --
# Have to be before ENV=production
# Note: no not use verdaccio-memory. It prevents any persitance for published packages
RUN npm i verdaccio-gitlab-ci
RUN npm i verdaccio-gitlab
# -- Plugins end --
ENV NODE_ENV=production
RUN npm i --no-audit --no-package-lock
COPY config.yaml /verdaccio/conf/
USER verdaccio
EXPOSE 4873# .gitlab-ci.yml from npm module repo
publish:
image: node:12-alpine
stage: deploy
before_script:
- npm i npm-cli-login
- npx npm-cli-login -u gitlab-ci-token -p "$CI_JOB_TOKEN" -r https://your.verdaccio -e "nobody@your.company" --config-path "$PWD/.npmrc"
script:
- npm publish |
Is it possible to login to verdaccio with the
gitlab-ci-tokenuser and the$CI_JOB_TOKENenv var during CI builds?The text was updated successfully, but these errors were encountered: