Skip to content

Use CI JOB TOKEN to push code #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Use CI JOB TOKEN to push code #901

wants to merge 5 commits into from

Conversation

@tachyons
Copy link

@tachyons tachyons commented Sep 10, 2025
edited by hearts bot
Loading

This PR is built on top of #859

GitLab now supports git push authenticted using CI JOB token. This PR update the authentication logic to also support CI JOB TOKEN when available.

@marchermans
Copy link

marchermans commented Sep 15, 2025
edited by hearts bot
Loading

Any update on this, as this is a blocker for us as well?

@tachyons tachyons marked this pull request as draft September 15, 2025 11:41
@tachyons tachyons mentioned this pull request Sep 16, 2025
Closed
@fgreinacher fgreinacher requested a review from Copilot September 16, 2025 06:53
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for using GitLab CI Job Tokens as an alternative authentication method for semantic-release operations. The change allows CI pipelines to authenticate using the built-in CI_JOB_TOKEN instead of requiring separate access tokens, while handling the limitations of job tokens around commenting permissions.

  • Adds job token detection and appropriate header handling (JOB-TOKEN vs PRIVATE-TOKEN)
  • Implements validation to require explicit disabling of comment conditions when using job tokens
  • Updates documentation and error messages to reflect support for multiple token types

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
lib/resolve-config.js Detects job token usage and sets appropriate token header
lib/verify.js Adds job token validation and uses dynamic token headers
lib/publish.js Uses dynamic token header for API requests
lib/success.js Uses dynamic token header for API requests
lib/fail.js Uses dynamic token header for API requests
lib/definitions/errors.js Updates error messages to include job token information and adds new error for job token comment restrictions
test/helpers/mock-gitlab.js Updates mock to handle both token types
test/resolve-config.test.js Adds test for job token detection
test/verify.test.js Adds tests for job token comment condition validation
test/integration.test.js Adds integration test for job token workflow
README.md Documents job token usage and limitations

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@tachyons tachyons marked this pull request as ready for review September 16, 2025 07:24
fgreinacher
fgreinacher reviewed Sep 16, 2025
View reviewed changes
@fgreinacher
Copy link
Contributor

fgreinacher commented Sep 17, 2025
edited by hearts bot
Loading

@tachyons I'm really struggling with this due to all of the limitations with the job token. Please give me some more days to think about it 🙇

fgreinacher
fgreinacher reviewed Oct 5, 2025
View reviewed changes
Copy link
Contributor

@fgreinacher fgreinacher left a comment
edited by hearts bot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry this took so long @tachyons.

I'm fine to go forward with the job token, but I'd like this to be a more conscious decision of the user so that they are not surprised by the limitations. What do you think about introducing a dedicated configuration option for "opting in" to the job token instead of just reusing the existing variable? We might also use the same option to disable unsupported features like issue/MR comments.

@arvest-bjoneson
Copy link

arvest-bjoneson commented Oct 16, 2025
edited by hearts bot
Loading

@fgreinacher

I might potentially argue that the user is already explicitly "opting in" by manually assigning either GL_TOKEN or GITLAB_TOKEN the value of the CI_JOB_TOKEN. The upstream semantic-release project already inherently supports this, as the git client does not require any special headers when using a job token.

IMHO, with the error messages and documentation changes introduced by the this PR, the user is made directly aware of the limitations (specifically around comments), and asked to explicitly disable them when using the job token.

I believe it may actually be more confusing to allow these other properties to be set, and disabled transitively by some other configuration flag like "useJobToken: true" or something.

At present, the code in the PR will automatically determine if a job token has been assigned (which again, a user must explicitly do), and invoke logic which provides clear feedback to the user on the limitations through error messages if they do not read the documentation.

It would be relatively trivial to add a boolean config property, like useJobToken, however the user would still be required to read error output and/or documentation to understand what the implications of doing so are. I believe such a property would be redundant to the signal the user is already providing by having to explicitly assign a job token to one of the existing token variables.

@fgreinacher
Copy link
Contributor

fgreinacher commented Oct 30, 2025
edited by hearts bot
Loading

@arvest-bjoneson I get your point, but the job token does have quite some limitations. Going forward we might add more functionality to the gitlab plugin that does not work with the job token. I want to make very clear that using the job token imposes several restrictions.

So to move this forward I kindly ask for two changes:

  1. add a dedicated option to enable this functionality
  2. re-arrange the documentation changes in this PR to have everything related to the job token in a dedicated chapter with a prominent disclaimer

@tachyons Are you still able and willing to work on this? If not I'll try to take care in the next 1-2 weeks.

@arvest-bjoneson
Copy link

arvest-bjoneson commented Oct 31, 2025
edited by hearts bot
Loading

@fgreinacher that sounds fair. If @tachyons is unable to respond, I'd be willing to take a crack at this over the next couple of days. Most of the changes are from a branch I had originally created.

@arvest-bjoneson arvest-bjoneson mentioned this pull request Oct 31, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgreinacher fgreinacher fgreinacher left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tachyons @marchermans @fgreinacher @arvest-bjoneson