Skip to content

GitLab support via webhook bridge (ADR 0043) #1964

Description

@ggallen

Context

ADR 0028 (GitLab Support Architecture) was deprecated because the surrounding infrastructure changed significantly since it was written — the token mint (ADR 0029), synchronous dispatch (ADR 0041), reusable workflows (ADR 0031), and per-repo mode (ADR 0033) all shifted the baseline.

Decision

ADR 0043 supersedes ADR 0028 with a webhook bridge architecture:

  • Bridge Cloud Function: Translates GitLab webhooks into pipeline triggers, isolating untrusted payload handling from the token mint
  • GitLab OIDC via JWKS: Child pipelines authenticate to the mint using GitLab OIDC tokens
  • Project Access Tokens: Per-role per-project PATs stored in Secret Manager, distributed through the existing mint model
  • Defense in depth: Hardcoded ref, protected CI/CD variables, per-project webhook secrets

Deliverables

  • ADR 0043 documenting the architectural decision
  • Implementation plan (docs/problems/gitlab-support.md) covering 7 phases
  • Implementation (future PRs)

Metadata

Metadata

Assignees

Labels

component/dispatchWorkflow dispatch and triggerscomponent/mintToken mint and cross-boundary credentialsfeatureFeature-category issue awaiting human prioritizationtriagedTriaged but awaiting human prioritizationtype/featureNew capability request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions