-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs(gitlab): add note about group access token rotation #29136
Conversation
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nearly there!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with the docs style and sentences now. 🥳
I'll let a maintainer review the links to GitLab, and our new instructions for technical accuracy.
🎉 This PR is included in version 37.399.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
- `read_api` | ||
- `read_repository` | ||
- `write_repository` (when using autodiscover) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why this is removed? autodiscover will check for write access and filter repo without this permission!
renovate/lib/modules/platform/gitlab/index.ts
Line 168 in f21efd3
min_access_level: 30, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested autodiscover with read_api
and read_repository
and it was able to discover repositories.
min_access_level = 30
refers to the Developer role (https://docs.gitlab.com/ee/api/members.html#roles) which is the minimum requirement for the bot account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the user or group has write access, but the token is limited to read-only? strange behavior 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The way I understand it is that the role gives you access/permissions to certain features. If the token has the read_api
scope then anything that the role has access to can be read.
…#29136) Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Changes
This PR adds a note about rotating the group access token to keep the same bot user.
Also updated the required scopes (
api
allows one toread_user
, and autodiscover uses the API soread_api
is sufficient).Context
See the discussion in #28736 (comment)
Closes #21121
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: