docs: ADR 0043 — GitLab per-repo support via OIDC/WIF and webhook bridge#2042
docs: ADR 0043 — GitLab per-repo support via OIDC/WIF and webhook bridge#2042ggallen wants to merge 1 commit into
Conversation
|
🤖 Review · Started 7:34 PM UTC |
cf7d1c5 to
18a48a1
Compare
Site previewPreview: https://aa7cce21-site.fullsend-ai.workers.dev Commit: |
|
🤖 Review · Started 7:37 PM UTC |
ReviewAll five prior medium-severity findings have been resolved: the constructor call mismatch is fixed, No medium or higher findings remain. The ADR is architecturally sound — it preserves the forge abstraction (ADR 0005), reuses WIF/Secret Manager infrastructure, maintains the per-repo config layering model (ADR 0033/0035), and follows the project's threat priority order with a thorough 7-layer security model. FindingsLow
Previous runReviewThe two medium-severity findings from the prior review (CI_JOB_TOKEN reference in gitlab-implementation.md, stale dual-token references in the implementation plan) have both been fixed. Three medium-severity documentation accuracy issues remain. None block the architectural decision. FindingsMedium
Low
Previous run (2)ReviewThe three high-severity findings from the prior review (bot filter blocking changes-requested marker, Note Hook minimal payload missing fields, fix.yml reading wrong payload path) have all been addressed. The dispatch.yml now correctly checks the changes-requested marker before the bot filter, the Note Hook minimal payload includes all required fields, and fix.yml reads from Two medium-severity editorial accuracy issues remain. FindingsMedium
Low
Previous run (3)ReviewFindingsHigh
Medium
Low
Previous run (4)ReviewFindingsMedium
Low
Info
Previous run (5)ReviewFindingsMedium
Low
Info
Previous run (6)ReviewFindingsMedium
Low
Info
Previous run (7)ReviewFindingsMedium
Low
Info
Previous run (8)ReviewFindingsMedium
Low
Info
Previous run (9)ReviewFindingsMedium
Low
Info
Previous run (10)ReviewFindingsMedium
Low
Info
|
|
🤖 Finished Review · ✅ Success · Started 7:37 PM UTC · Completed 7:50 PM UTC |
18a48a1 to
d2c51d8
Compare
|
🤖 Finished Review · ✅ Success · Started 7:59 PM UTC · Completed 8:12 PM UTC |
d2c51d8 to
755fac5
Compare
|
🤖 Finished Review · ✅ Success · Started 8:21 PM UTC · Completed 8:35 PM UTC |
755fac5 to
0147419
Compare
|
🤖 Review · Started 8:41 PM UTC |
0147419 to
5401191
Compare
|
🤖 Review · Started 8:54 PM UTC |
5401191 to
f298d1b
Compare
Good catch — this is a valid alternative that wasn't evaluated. I've added it as an open question in the ADR under "Native The short version: acknowledged as a future optimization, deferred for now. Reasons:
Both |
b0989d0 to
b7bfe61
Compare
|
🤖 Finished Review · ✅ Success · Started 11:57 AM UTC · Completed 12:09 PM UTC |
b7bfe61 to
d1b99cd
Compare
|
🤖 Finished Review · ✅ Success · Started 3:16 PM UTC · Completed 3:30 PM UTC |
Event routing model: scope the bridge, document what's nativeFollow-up to my earlier comments on OIDC/WIF credentials (adopted) and Now that the credential model is settled (OIDC/WIF, no Proposed event routing table
Review→fix loop requires no separate mechanismThe review→fix iteration cycle falls out naturally from the bridge + native MR events:
No recursive pipelines, no parent-child nesting tricks. The bridge is the iteration controller, native MR events handle re-review. The askThe ADR currently presents the bridge as the dispatch path for all events. With native |
… bridge Adds ADR 0043 and a companion implementation plan for GitLab per-repo installation mode. Uses GitLab OIDC id_tokens with GCP Workload Identity Federation to retrieve a bot project access token from Secret Manager — no credentials stored as CI/CD variables, no custom token mint. Supersedes ADR 0028 (per-org model). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
d1b99cd to
03a63e5
Compare
|
🤖 Finished Review · ✅ Success · Started 4:55 PM UTC · Completed 5:11 PM UTC |
| 7. Verify review pipeline fires on MR open | ||
| 8. Run `fullsend admin uninstall group/project --forge gitlab` | ||
| 9. Verify cleanup (webhook removed, project access token revoked, variables deleted) | ||
|
|
There was a problem hiding this comment.
[low] consumer completeness
Phase 1 method mapping table omits SetOrgSecretRepos and SetOrgVariableRepos from forge.Client. GitLab LiveClient must implement these (returning ErrNotSupported) to satisfy the interface.
Suggested fix: Add rows for SetOrgSecretRepos and SetOrgVariableRepos returning ErrNotSupported.
| - `TriggerPipeline` — record call with variables | ||
|
|
||
| ## Security-Critical Code Paths | ||
|
|
There was a problem hiding this comment.
[low] internal consistency
MergeChangeProposal appears twice in Phase 1 method mapping table. Both map to MergeRequests.AcceptMergeRequest. Duplicate entry.
|
|
||
| ### Integration wiring | ||
|
|
||
| - `fullsend run --forge gitlab` constructs a GitLab forge client with the bot PAT from `FULLSEND_FORGE_TOKEN` environment variable (retrieved from Secret Manager via OIDC/WIF in the pipeline script) |
There was a problem hiding this comment.
[low] internal consistency
Phase 0 file table lists internal/cli/github.go for GetAppClientID update, but GetAppClientID is not called in that file. The callers are in internal/appsetup/appsetup.go (already listed). The row is a no-op.
| **Stage pipelines** (`.gitlab/ci/triage.yml`, `code.yml`, etc.): | ||
| ```yaml | ||
| # fullsend-stage: triage | ||
|
|
There was a problem hiding this comment.
[low] infrastructure-dependency
Webhook bridge operational concerns (monitoring, SLO, runbooks) not addressed. ADR covers deployment and security but defers ops. Consider filing a follow-up issue.
| **Network connectivity**: The bridge must be able to reach the GitLab instance's Pipeline Trigger API endpoint. For gitlab.com (public API), a standard Cloud Function works. For self-hosted GitLab behind a VPN or firewall, the bridge should be deployed where it can already reach GitLab — not the other way around. Setting up VPN peering from GCP to a corporate network solely to solve a CI trigger limitation is disproportionate infrastructure for the problem. | ||
|
|
||
| Deployment options for internal GitLab instances: | ||
| - **On-premise deployment (preferred)**: Deploy the bridge as a standalone container on infrastructure inside the corporate network (OpenShift, Kubernetes, or any container host). The bridge is a self-contained Go binary with no GCP runtime dependency — it only needs outbound HTTPS to the GitLab API. This is the expected default for internal instances like gitlab.cee. |
There was a problem hiding this comment.
I understand this same binary is the one that will get deployed as a GCP cloud function. If that is the case it will be great, so we don't have different binaries for different locations. Just a binary, you choose where to run it.
Replace the webhook bridge from PR #2042's GitLab design with cron-based polling. Scheduled pipelines query the GitLab API for new issues, comments, and label changes. MR events continue via native CI triggers. Eliminates the external Cloud Function, webhook secrets, and trigger tokens. Includes companion implementation plan with 6-phase build-out. Signed-off-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
Remove all references to PR #2042 and ADR 0043. Present cron-polling event dispatch as the original GitLab support design. Webhooks appear only as a considered-and-rejected alternative with clear rationale. Signed-off-by: Claude <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
|
Superseded by #2853. |
|
🤖 Finished Retro · ✅ Success · Started 1:22 AM UTC · Completed 1:28 AM UTC |
Retro: PR #2042 — ADR 0043 GitLab per-repo supportOutcome: Closed without merge, superseded by #2853. Timeline
AssessmentThe workflow worked as designed. Human reviewers provided the high-value architectural feedback (credential model redesign, alternative dispatch mechanisms) that the review bot cannot provide. The review bot contributed legitimate mechanical findings (duplicate table entries, missing interface methods, internal consistency issues in the implementation plan — including two HIGH-severity findings in intermediate revisions). The bot approved the final revision appropriately; the eventual supersession was driven by architectural decisions from human domain experts, not by review gaps. Existing coverageAll improvement areas I investigated are already covered by open issues:
No new proposals warranted. |
Note
Supersedes #1816 (GitLab support via webhook bridge — per-org model). This PR redesigns GitLab support around per-repo-only installation based on review feedback from ifireball and waynesun09.
Summary
id_tokenswith GCP Workload Identity Federation to retrieve a bot project access token from Secret Managerapiscope provides REST + GraphQL API access and bot identitydocs/plans/gitlab-per-repo-implementation.md) with 6-phase build-out, security-critical path analysis, and verification checklistTest plan
make lintpasses (ADR status, numbers, frontmatter, markdown links all clean)🤖 Generated with Claude Code