From b6d5d32216810e059e97f06dfb803f9750d97ef2 Mon Sep 17 00:00:00 2001 From: Manuel Leonhardt Date: Wed, 14 Aug 2024 19:27:20 +0200 Subject: [PATCH 1/4] docs(gitlab): rework authentication - Deploy Tokens can not be used as `RENOVATE_TOKEN` as they lack `api` permissions - Mention Project Access Tokens - Add links to point to the corresponding sections in GitLab's docs Closes #30603. --- lib/modules/platform/gitlab/readme.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/lib/modules/platform/gitlab/readme.md b/lib/modules/platform/gitlab/readme.md index c9293f90d26b38..ea572842c06d73 100644 --- a/lib/modules/platform/gitlab/readme.md +++ b/lib/modules/platform/gitlab/readme.md @@ -2,21 +2,24 @@ ## Authentication -You can authenticate Renovate to GitLab, with a Personal Access Token, or Group Access Token. +You can authenticate Renovate to GitLab, with a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html), [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) or [Group Access Token](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html). To start, create either: -- a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) for the bot account -- or a [Group Access Token](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#bot-users-for-groups) for the bot account -- or a [Deploy Token](https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html) for the bot account +- a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token) for the bot account +- or a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#create-a-project-access-token) to the project Renovate will be working on +- or a [Group Access Token](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#create-a-group-access-token-using-ui) to the group Renovate will be working on -The bot account must have at least the Developer role in order to [create issues and merge requests](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions). -If you are using automerge, the bot account must have the appropriate ["Allowed to merge" permission on the protected branch](https://docs.gitlab.com/ee/user/project/protected_branches.html#require-everyone-to-submit-merge-requests-for-a-protected-branch) of your projects. -If merging is restricted to Maintainers, the bot account must have the Maintainer role. +The bot account or token must have at least the Developer role in order to [create issues and merge requests](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions). +If you are using automerge, the bot account or token must have the appropriate ["Allowed to merge" permission on the protected branch](https://docs.gitlab.com/ee/user/project/protected_branches.html#require-everyone-to-submit-merge-requests-for-a-protected-branch) of your projects. +If merging is restricted to Maintainers, the bot account or token must have the Maintainer role. -If you are using a group access token, to keep using the same GitLab-generated bot user you must [rotate/refresh the Group Access Token](https://docs.gitlab.com/ee/api/group_access_tokens.html#rotate-a-group-access-token) _before_ the token's expiry date. +If you are using a project access token or a group access token, GitLab creates an [internal](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects) [bot](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#bot-users-for-groups) user for you. +This bot user is the one that will be used to create merge requests and issues. +For group access tokens, an expiration date is required, unlike project access tokens where it is optional. +To keep using the same GitLab-generated bot account you must [rotate/refresh the Group Access Token](https://docs.gitlab.com/ee/api/group_access_tokens.html#rotate-a-group-access-token) _before_ the token's expiry date. -We refer to personal access tokens and group access tokens as _access tokens_ in the instructions that follow. +We refer to personal access tokens, project access tokens and group access tokens as _access tokens_ in the instructions that follow. For real runs, give the access token these scopes: @@ -44,6 +47,8 @@ If you're using a private [GitLab container registry](https://docs.gitlab.com/ee - Make sure the user that owns the access token is a member of the corresponding GitLab projects/groups with the right permissions. - Make sure the access token has the `read_registry` scope. +You may also use a dedicated [Deploy Token](https://docs.gitlab.com/ee/user/project/deploy_tokens/) instead of using `RENOVATE_TOKEN` as the password in the above host rule example. + You may want to set `FORCE_COLOR: 3` or `TERM: ansi` to the job, in order to get colored output. [GitLab Runner runs the container’s shell in non-interactive mode, so the shell’s `TERM` environment variable is set to `dumb`.](https://docs.gitlab.com/ee/ci/yaml/script.html#job-log-output-is-not-formatted-as-expected-or-contains-unexpected-characters) From b6ee93c36685b22890e61df21e0b8cdf1834be91 Mon Sep 17 00:00:00 2001 From: Manuel Leonhardt Date: Wed, 14 Aug 2024 19:28:53 +0200 Subject: [PATCH 2/4] docs(gitlab): add note about verifying users using push rules --- lib/modules/platform/gitlab/readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/modules/platform/gitlab/readme.md b/lib/modules/platform/gitlab/readme.md index ea572842c06d73..d01c3736a3c304 100644 --- a/lib/modules/platform/gitlab/readme.md +++ b/lib/modules/platform/gitlab/readme.md @@ -16,6 +16,7 @@ If merging is restricted to Maintainers, the bot account or token must have the If you are using a project access token or a group access token, GitLab creates an [internal](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects) [bot](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#bot-users-for-groups) user for you. This bot user is the one that will be used to create merge requests and issues. +Use the name and email of this bot user to configure Renovate when [verifing users using push rules](#verifying-users-using-push-rules). For group access tokens, an expiration date is required, unlike project access tokens where it is optional. To keep using the same GitLab-generated bot account you must [rotate/refresh the Group Access Token](https://docs.gitlab.com/ee/api/group_access_tokens.html#rotate-a-group-access-token) _before_ the token's expiry date. @@ -70,3 +71,7 @@ By setting the server version yourself, you save a API call that fetches the ser Due to licensing restrictions [multiple assignees](https://docs.gitlab.com/ee/user/project/issues/multiple_assignees_for_issues.html) are only available in GitLab Premium self-managed, GitLab Premium SaaS, and higher tiers. Because of a safeguard in [GitLab's API](https://github.com/renovatebot/renovate/pull/14212#issuecomment-1040189712) if multiple assignees are set, but not available to the project, only the first assignee will be applied. + +## Verifying users using push rules + +When verifying users using [push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html#verify-users), you must use the name and email of the bot user for `gitAuthor`. From a5b7e61532153414a19ae90c5f66c73e9e9ae7f8 Mon Sep 17 00:00:00 2001 From: Manuel Leonhardt Date: Wed, 14 Aug 2024 19:28:23 +0200 Subject: [PATCH 3/4] docs(gitlab): simplify language --- lib/modules/platform/gitlab/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/modules/platform/gitlab/readme.md b/lib/modules/platform/gitlab/readme.md index d01c3736a3c304..38301b2b90bbe1 100644 --- a/lib/modules/platform/gitlab/readme.md +++ b/lib/modules/platform/gitlab/readme.md @@ -69,7 +69,7 @@ By setting the server version yourself, you save a API call that fetches the ser ## Multiple merge request assignees -Due to licensing restrictions [multiple assignees](https://docs.gitlab.com/ee/user/project/issues/multiple_assignees_for_issues.html) are only available in GitLab Premium self-managed, GitLab Premium SaaS, and higher tiers. +[Multiple assignees](https://docs.gitlab.com/ee/user/project/issues/multiple_assignees_for_issues.html) are only available on GitLab Premium and Ultimate tiers. Because of a safeguard in [GitLab's API](https://github.com/renovatebot/renovate/pull/14212#issuecomment-1040189712) if multiple assignees are set, but not available to the project, only the first assignee will be applied. ## Verifying users using push rules From ee01a8d51dcd446add2a4c0390f4836614eab666 Mon Sep 17 00:00:00 2001 From: Rhys Arkins Date: Sun, 22 Sep 2024 09:23:22 +0200 Subject: [PATCH 4/4] Update lib/modules/platform/gitlab/readme.md --- lib/modules/platform/gitlab/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/modules/platform/gitlab/readme.md b/lib/modules/platform/gitlab/readme.md index 38301b2b90bbe1..9464be5ad440c5 100644 --- a/lib/modules/platform/gitlab/readme.md +++ b/lib/modules/platform/gitlab/readme.md @@ -7,7 +7,7 @@ You can authenticate Renovate to GitLab, with a [Personal Access Token](https:// To start, create either: - a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token) for the bot account -- or a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#create-a-project-access-token) to the project Renovate will be working on +- or a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#create-a-project-access-token) if Renovate only needs to check/update one project (usually not recommended as it requires configuring Renovate and tokens once per project) - or a [Group Access Token](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#create-a-group-access-token-using-ui) to the group Renovate will be working on The bot account or token must have at least the Developer role in order to [create issues and merge requests](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions).