Description
What is your suggestion?
We are using the Capturing Git scm information pattern. Specifically for one of the reasons identified in the documentation. We work with code where usage of the header files and libraries is open to everyone, but for security reasons the code is limited to people with the appropriate permissions.
However, we are hitting the issue outlined in the Credentials management section.
We use Gitlab with two factor authentiation.
For development work, we use SSH. However the CI/CD pipelines we have use HTTP combined with their unique job tokens.
In gitlab, every job generates a token that is good for the duration of that job and then becomes invalid. It's unique for every job.
We have multiple linux and windows compiles and they are creating different revisions for the same SCM SHA because of the origin URL.
The origin URL is in the format
https://gitlab-ci-token:<CI_JOB_TOKEN>@git.stratovan.com/Stratovan/foo/bar/bar.git
This is of course problematic because the generated package has a unique value,
the CI_JOB_TOKEN for every job compile. Moreover, the gitlab ci/cd pipeline uses https, while all devs use ssh. Meaning the ci/cd packages wouldn't be useable by devs.
I know conan recoimmends using SSH and provids a workflow for github to securely use SSH. But that method is not available in GitLab. The GitLab CI/CD SSH method is for the runners to have an appropriate /.ssh folder with the keys, etc. That makes SSH extremely insecure in GitLab because any repository yaml could dump the contents of those folders, or save the folder as an aritfact, etc. Long story short, using SSH in Gitlab CI/CD is not a secure or acceptable solution.
My team and I have batted around some ideas for this and we're currently using a workaround of
git remote set-url origin <SSH-PATH>
git conan export-pkg .
git remote set-url origin <original-path>
In our replacement scenario, we only do replacement when the origin has git.stratovan.com as that is our code manager.
However, we were wondering about a feature that might allow one to create a pattern for the origin URL for situations like this.
For example we noticed the the two origins that might be used are
ssh://[email protected]:2222/Stratovan/Encircle/Encircle.git
https://gitlab-ci-token:${CI_JOB_TOKEN}@git.stratovan.com/Stratovan/Encircle/Encircle.git
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It seems like a filter pattern could be used to remove the prefix using a regular expression such as ^.*?git.stratovan.com\(:2222\)* from the origin and use just the remainder of the string Stratovan/Encircle/Encircle.git for the revision calculation.
Could a feature like this be added? What would be the reason to not do something like this?
Have you read the CONTRIBUTING guide?
- I've read the CONTRIBUTING guide