[Feature] Add GitLab CI job token (#57)

* add job token
* fix phar building

Author: ArtARTs36

.github/workflows/release.yml

@@ -9,8 +9,14 @@ jobs:
     steps:
       - uses: actions/checkout@master
 
+      - name: Get release
+        id: get_release
+        uses: bruceadams/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
       - name: set MR-Linter version
-        run: echo "MR_LINTER_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        run: echo "MR_LINTER_VERSION=${{ steps.get_release.outputs.tag_name }}" >> $GITHUB_ENV
 
       - name: composer deps
         run: composer install --no-interaction --no-dev --prefer-dist --optimize-autoloader
@@ -26,11 +32,25 @@ jobs:
         with:
           args: gpg --command-fd 0 --pinentry-mode loopback -u [email protected] --batch --detach-sign --output bin/build/mr-linter.phar.asc bin/build/mr-linter.phar
 
-      - name: release phar
-        uses: fnkr/github-action-ghr@v1
+      - name: Upload phar
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          asset_path: ./bin/build/mr-linter.phar
+          asset_name: mr-linter.phar
+          asset_content_type: application/octet-stream
+
+      - name: Upload phar.asc
+        uses: actions/upload-release-asset@v1
         env:
-          GHR_PATH: bin/build
-          GITHUB_TOKEN: ${{ secrets.MR_LINTER_GITHUB_HTTP_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          asset_path: ./bin/build/mr-linter.phar.asc
+          asset_name: mr-linter.phar.asc
+          asset_content_type: application/octet-stream
 
       - name: build and publish Docker Image
         env:

CHANGELOG.md

@@ -6,6 +6,18 @@ This file contains changelogs.
 
 -----------------------------------------------------------------
 
+## [v0.16.1 (2023-08-13)](https://github.com/ArtARTs36/php-merge-request-linter/compare/0.16.0..0.16.1)
+
+## Added
+* Support GitLab CI job token
+
+## Fixed
+* Fixed phar on "TwigTest not found"
+
+[💾 Assets](https://github.com/ArtARTs36/php-merge-request-linter/releases/tag/0.16.1)
+
+-----------------------------------------------------------------
+
 ## [v0.16.0 (2023-08-06)](https://github.com/ArtARTs36/php-merge-request-linter/compare/0.15.3..0.16.0)
 
 ## Added

Makefile

@@ -18,6 +18,14 @@ try:
 	GITHUB_REF_NAME=${MR_ID}/merge \
 	./bin/mr-linter lint --debug --metrics
 
+# usage as `make try-phar MR_ID=1`
+try-phar: build-phar
+	GITHUB_ACTIONS=1 \
+	GITHUB_REPOSITORY=artarts36/php-merge-request-linter \
+	GITHUB_GRAPHQL_URL=https://api.github.com/graphql \
+	GITHUB_REF_NAME=${MR_ID}/merge \
+	./bin/build/mr-linter.phar lint --debug --metrics
+
 # usage as `make try MR_ID=1`
 try-docker: docker-build
 	docker run \
@@ -161,3 +169,8 @@ deptrac-docker: docker-build
 		artarts36/merge-request-linter "deptrac"
 
 check-docker: lint-docker stat-analyse-docker test-docker deptrac-docker
+
+build-phar:
+	composer install --no-interaction --no-dev --prefer-dist --optimize-autoloader
+	cd dev/build/ && composer install
+	./dev/build/vendor/bin/box compile

box.json.dist

@@ -1,5 +1,5 @@
 {
-    "check-requirements": false,
+    "check-requirements": true,
     "dump-autoload": true,
     "compactors": [
         "KevinGH\\Box\\Compactor\\Json",

dev/build/build.sh

@@ -2,8 +2,7 @@
   "require": {
     "php": "^8.0",
     "ergebnis/composer-normalize": "^2.15.0",
-    "humbug/box": "^3.8",
-    "humbug/php-scoper": "dev-main#0a4e329 as 0.14.2"
+    "humbug/box": "4.3.8"
   },
   "config": {
     "optimize-autoloader": true,

dev/build/composer.json

@@ -65,7 +65,11 @@ public function generate(): JsonSchema
                             'properties' => [
                                 'token' => [
                                     'type' => 'string',
-                                    'description' => 'API Token',
+                                    'description' => 'Access Token',
+                                ],
+                                'job_token' => [
+                                    'type' => 'string',
+                                    'description' => 'Job Token',
                                 ],
                             ],
                         ],

docs/Builder/ConfigJsonSchema/Generator.php

@@ -9,12 +9,12 @@ Examples:
 
 Or generate **yaml** file with following command:
 ```shell
-docker run -v "${PWD}:/app/:rw" --user 1000:1000 -it artarts36/merge-request-linter:0.10.0 install
+docker run -v "${PWD}:/app/:rw" --user 1000:1000 -it artarts36/merge-request-linter:0.16.1 install
 ```
 
 Or generate **json** file with following command:
 ```shell
-docker run -v "${PWD}:/app/:rw" --user 1000:1000 -it artarts36/merge-request-linter:0.10.0 install --format=json
+docker run -v "${PWD}:/app/:rw" --user 1000:1000 -it artarts36/merge-request-linter:0.16.1 install --format=json
 ```
 
 When writing a config, look at [JSON Schema](config-schema.md).
@@ -60,14 +60,39 @@ build:
 3. Add new step into **.gitlab-ci.yml**
    ```yaml
    mr-lint:
-     image: artarts36/merge-request-linter:0.8.0
+     image: artarts36/merge-request-linter:0.16.1
      stage: test
      only:
        - merge_requests
      script:
        - mr-linter lint
    ```
 
+You can also use `$CI_JOB_TOKEN` if you don't intend to use comments.
+
+Configs with `$CI_JOB_TOKEN`:
+
+* mr-linter.yaml:
+   ```yaml
+   ci:
+     gitlab_ci: 
+       credentials:
+         job_token: 'env(MR_LINTER_GITHUB_HTTP_TOKEN)'
+   ```
+
+* gitlab-ci.yaml
+   ```yaml
+   mr-lint:
+     image: artarts36/merge-request-linter:0.16.1
+     stage: test
+     only:
+       - merge_requests
+     variables:
+       MR_LINTER_GITLAB_HTTP_TOKEN: $CI_JOB_TOKEN
+     script:
+       - mr-linter lint --debug
+   ```
+
 ## Usage with Bitbucket Pipelines
 
 1. Create App Password on `https://bitbucket.org/account/settings/app-passwords/new` with permissions: 
@@ -83,7 +108,7 @@ build:
      pull-requests:
        '**':
          - step:
-             image: "artarts36/merge-request-linter:0.11.0"
+             image: "artarts36/merge-request-linter:0.16.1"
              name: PR Review
              script:
                - mr-linter lint

docs/getting-started.md

@@ -150,4 +150,4 @@ Currently is available that rules:
 <td>array of strings </td>
 </tr>
 </tbody>
-</t
+</table>

docs/rules.md

@@ -1765,7 +1765,11 @@
                             "properties": {
                                 "token": {
                                     "type": "string",
-                                    "description": "API Token"
+                                    "description": "Access Token"
+                                },
+                                "job_token": {
+                                    "type": "string",
+                                    "description": "Job Token"
                                 }
                             }
                         }

mr-linter-config-schema.json

@@ -0,0 +1,15 @@
+<?php
+
+namespace ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials;
+
+/**
+ * @codeCoverageIgnore
+ */
+class Header
+{
+    public function __construct(
+        public readonly string $name,
+        public readonly string $value,
+    ) {
+    }
+}

src/Infrastructure/Ci/Credentials/Header.php

@@ -5,33 +5,34 @@
 use ArtARTs36\MergeRequestLinter\Domain\CI\Authenticator;
 use Psr\Http\Message\RequestInterface;
 
-final class TokenAuthenticator implements Authenticator
+final class HeaderAuthenticator implements Authenticator
 {
     public function __construct(
-        private readonly string $header,
-        private readonly string $token,
+        private readonly Header $header,
     ) {
         //
     }
 
-    public function authenticate(RequestInterface $request): RequestInterface
+    public static function bearer(string $token): self
     {
-        return $request->withHeader($this->header, $this->token);
+        return new self(new Header('Authorization', 'Bearer ' . $token));
     }
 
-    public static function bearer(string $token): self
+    public function authenticate(RequestInterface $request): RequestInterface
     {
-        return new self('Authorization', 'Bearer ' . $token);
+        return $request->withHeader($this->header->name, $this->header->value);
     }
 
     /**
-     * @return array<string, string>
+     * @return array<string, array<string, string>>
      */
     public function __debugInfo(): array
     {
         return [
-            'header' => $this->header,
-            'token'  => '******',
+            'header' => [
+                'name' => $this->header->name,
+                'value'  => '******',
+            ],
         ];
     }
 }

src/Infrastructure/Ci/Credentials/TokenAuthenticator.php renamed to src/Infrastructure/Ci/Credentials/HeaderAuthenticator.php

@@ -6,7 +6,7 @@
 use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\BasicBase64Authenticator;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\CompositeAuthenticator;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\HostAuthenticator;
-use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\TokenAuthenticator;
+use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\HeaderAuthenticator;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\CI\AuthenticatorMapper;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\Configuration\ConfigValueTransformer;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Http\Exceptions\InvalidCredentialsException;
@@ -59,7 +59,7 @@ private function createTokenAuthenticator(array $credentials): ?Authenticator
             throw new InvalidCredentialsException('Given empty bitbucket token');
         }
 
-        return TokenAuthenticator::bearer($token);
+        return HeaderAuthenticator::bearer($token);
     }
 
     /**

src/Infrastructure/Ci/System/Bitbucket/Credentials/BitbucketCredentialsMapper.php

@@ -3,7 +3,7 @@
 namespace ArtARTs36\MergeRequestLinter\Infrastructure\Ci\System\Github\Credentials;
 
 use ArtARTs36\MergeRequestLinter\Domain\CI\Authenticator;
-use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\TokenAuthenticator;
+use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\HeaderAuthenticator;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\CI\AuthenticatorMapper;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\Configuration\ConfigValueTransformer;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Http\Exceptions\InvalidCredentialsException;
@@ -30,6 +30,6 @@ public function map(array $credentials): Authenticator
             ));
         }
 
-        return TokenAuthenticator::bearer($this->value->tryTransform($credentials['token']));
+        return HeaderAuthenticator::bearer($this->value->tryTransform($credentials['token']));
     }
 }

src/Infrastructure/Ci/System/Github/Credentials/GithubActionsCredentialsMapper.php

@@ -41,8 +41,9 @@ public function getMergeRequestId(): ?int
 
         if (! $id->isDigit()) {
             throw new InvalidEnvironmentVariableValueException(sprintf(
-                'Var "%s" is invalid. Expected: {id}/merge',
+                'Var "%s" is invalid. Expected: {id}/merge, given: "%s"',
                 VarName::RefName->value,
+                $ref,
             ));
         }
 

src/Infrastructure/Ci/System/Github/Env/GithubEnvironment.php

@@ -3,7 +3,8 @@
 namespace ArtARTs36\MergeRequestLinter\Infrastructure\Ci\System\Gitlab\Credentials;
 
 use ArtARTs36\MergeRequestLinter\Domain\CI\Authenticator;
-use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\TokenAuthenticator;
+use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\Header;
+use ArtARTs36\MergeRequestLinter\Infrastructure\Ci\Credentials\HeaderAuthenticator;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\CI\AuthenticatorMapper;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Contracts\Configuration\ConfigValueTransformer;
 use ArtARTs36\MergeRequestLinter\Infrastructure\Http\Exceptions\InvalidCredentialsException;
@@ -18,12 +19,28 @@ public function __construct(
 
     public function map(array $credentials): Authenticator
     {
-        if (empty($credentials['token']) || ! is_string($credentials['token'])) {
-            throw new InvalidCredentialsException(sprintf(
-                'Gitlab CI supported only token',
-            ));
+        $tokenFetchMap = [
+            'token' => 'PRIVATE-TOKEN',
+            'job_token' => 'JOB-TOKEN',
+        ];
+
+        $header = null;
+
+        foreach ($tokenFetchMap as $key => $headerName) {
+            if (! empty($credentials[$key]) && is_string($credentials[$key])) {
+                $header = new Header(
+                    $headerName,
+                    $this->valueTransformer->tryTransform($credentials[$key]),
+                );
+            }
+        }
+
+        if ($header === null) {
+            throw new InvalidCredentialsException(
+                'Credentials for Gitlab CI not provided. Must be provided access token or job token',
+            );
         }
 
-        return new TokenAuthenticator('PRIVATE-TOKEN', $this->valueTransformer->tryTransform($credentials['token']));
+        return new HeaderAuthenticator($header);
     }
 }

src/Infrastructure/Ci/System/Gitlab/Credentials/GitlabCredentialsMapper.php

@@ -8,7 +8,7 @@
  */
 final class Version
 {
-    public const VERSION = '0.16.0';
+    public const VERSION = '0.16.1';
 
     private function __construct()
     {