Expose deploy token to CI/CD jobs as environment variable
- If a deploy token with a name 'gitlab-deploy-token' is exists for the project, CI_DEPLOY_USER and CI_DEPLOY_PASSWORD variables will be expose
This commit is contained in:
parent
3c3cab8b32
commit
0903456a07
|
@ -624,6 +624,7 @@ module Ci
|
|||
variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
|
||||
variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
|
||||
variables.concat(legacy_variables)
|
||||
variables.concat(deploy_token_variables) if project.gitlab_deploy_token
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -654,6 +655,13 @@ module Ci
|
|||
end
|
||||
end
|
||||
|
||||
def deploy_token_variables
|
||||
Gitlab::Ci::Variables::Collection.new.tap do |variables|
|
||||
variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN)
|
||||
variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token)
|
||||
end
|
||||
end
|
||||
|
||||
def environment_url
|
||||
options&.dig(:environment, :url) || persisted_environment&.external_url
|
||||
end
|
||||
|
|
|
@ -4,6 +4,7 @@ class DeployToken < ActiveRecord::Base
|
|||
add_authentication_token_field :token
|
||||
|
||||
AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
|
||||
GITLAB_DEPLOY_TOKEN = 'gitlab-deploy-token'.freeze
|
||||
|
||||
default_value_for(:expires_at) { Forever.date }
|
||||
|
||||
|
|
|
@ -1879,6 +1879,11 @@ class Project < ActiveRecord::Base
|
|||
[]
|
||||
end
|
||||
|
||||
def gitlab_deploy_token
|
||||
@gitlab_deploy_token ||=
|
||||
deploy_tokens.active.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def storage
|
||||
|
|
|
@ -10,5 +10,13 @@ FactoryBot.define do
|
|||
trait :revoked do
|
||||
revoked true
|
||||
end
|
||||
|
||||
trait :gitlab_deploy_token do
|
||||
name DeployToken::GITLAB_DEPLOY_TOKEN
|
||||
end
|
||||
|
||||
trait :expired do
|
||||
expires_at { Date.today - 1.month }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2035,6 +2035,37 @@ describe Ci::Build do
|
|||
expect(build).not_to be_persisted
|
||||
end
|
||||
end
|
||||
|
||||
context 'for deploy tokens' do
|
||||
let(:deploy_token) { create(:deploy_token, :gitlab_deploy_token) }
|
||||
|
||||
let(:deploy_token_variables) do
|
||||
[
|
||||
{ key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN, public: true },
|
||||
{ key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
|
||||
]
|
||||
end
|
||||
|
||||
context 'when gitlab-deploy-token exist' do
|
||||
before do
|
||||
project.deploy_tokens << deploy_token
|
||||
end
|
||||
|
||||
it 'should include deploy token variables' do
|
||||
deploy_token_variables.each do |deploy_token_variable|
|
||||
is_expected.to include(deploy_token_variable)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when gitlab-deploy-token does not exist' do
|
||||
it 'should not include deploy token variables' do
|
||||
deploy_token_variables.each do |deploy_token_variable|
|
||||
is_expected.not_to include(deploy_token_variable)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#scoped_variables' do
|
||||
|
|
|
@ -3585,4 +3585,31 @@ describe Project do
|
|||
it { is_expected.not_to be_valid }
|
||||
end
|
||||
end
|
||||
|
||||
describe '#gitlab_deploy_token' do
|
||||
let(:project) { create(:project) }
|
||||
|
||||
subject { project.gitlab_deploy_token }
|
||||
|
||||
context 'when there is a gitlab deploy token associated' do
|
||||
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
|
||||
|
||||
it { is_expected.to eq(deploy_token) }
|
||||
end
|
||||
|
||||
context 'when there is no a gitlab deploy token associated' do
|
||||
it { is_expected.to be_nil }
|
||||
end
|
||||
|
||||
context 'when there is a gitlab deploy token associated but is has been revoked' do
|
||||
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :revoked, projects: [project]) }
|
||||
it { is_expected.to be_nil }
|
||||
end
|
||||
|
||||
context 'when there is a gitlab deploy token associated but it has expired' do
|
||||
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
|
||||
|
||||
it { is_expected.to be_nil }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue