Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I push to a repo from within a gitlab CI pipeline?

In my CI pipeline I am generating an artifact public/graph.png that visualises some aspect of my code. In a later step I want to commit that to the repo from within the CI pipeline. Here's the pertinent part of .gitlab-ci.yml:

commit-graph:   stage: pages   script:     - git config user.email "[email protected]"     - git config user.name "CI Pipeline"     - cd /group/project     - mv public/graph.png .     - git add graph.png     - git commit -m "committing graph.png [ci skip]"     - echo $CI_COMMIT_REF_NAME     - git push origin HEAD:$CI_COMMIT_REF_NAME 

When the pipeline runs within gitlab it fails with:

$ git config user.email "[email protected]"
$ git config user.name "CI Pipeline"
$ cd /group/project
$ mv public/graph.png .
$ git add graph.png
$ git commit -m "committing graph.png [ci skip]"
[detached HEAD 22a50d1] committing graph.png [ci skip]
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 graph.png
$ echo $CI_COMMIT_REF_NAME
jamiet/my-branch
$ git push origin HEAD:$CI_COMMIT_REF_NAME
fatal: unable to access 'https://gitlab-ci-token:[email protected]/group/project/project.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Not sure what I'm doing wrong and don't know enough about SSL to understand that error. Can anyone advise?

We are hosting gitlab ourselves by the way.

like image 307
jamiet Avatar asked Aug 06 '18 21:08

jamiet


People also ask

How do you use CI skip?

If you'd like a commit or series of commits that you're pushing to not trigger a build, just write [ci skip] or [skip ci] somewhere in your commit's message. When squashing commits before merging in another branch, all commit messages will be merged as well.

Which file is used to specify the jobs within the GitLab CI pipeline?

gitlab-ci. yml file is a YAML file where you configure specific instructions for GitLab CI/CD. In this file, you define: The structure and order of jobs that the runner should execute.

How CI CD pipeline works in GitLab?

GitLab CI/CD fits in a common development workflow. You can start by discussing a code implementation in an issue and working locally on your proposed changes. Then you can push your commits to a feature branch in a remote repository that's hosted in GitLab. The push triggers the CI/CD pipeline for your project.


2 Answers

I found this GitLab forum link helpful As suggested by the user you need to generate SSH key, associate it with new GitLab user dedicated for this job and add key to the runner. Small drawback is you need to use swap origin in gitlab for original ssh source (instead of sandboxed one used inside the job) which leads to committer being changed to mentioned new account instead of person who triggered pipeline. Source from link:

# for your information whoami printenv  # we need to extract the ssh/git URL as the runner uses a tokenized URL export CI_PUSH_REPO=`echo $CI_REPOSITORY_URL | perl -pe 's#.*@(.+?(\:\d+)?)/#git@\1:#'`  # runner runs on a detached HEAD, create a temporary local branch for editing git checkout -b ci_processing git config --global user.name "My Runner" git config --global user.email "[email protected]" git remote set-url --push origin "${CI_PUSH_REPO}"  # make your changes touch test.txt  # push changes # always return true so that the build does not fail if there are no changes git push origin ci_processing:${CI_COMMIT_REF_NAME} || true 

Just with current version of GitLab you need to change source variable name as follows:

export CI_PUSH_REPO=`echo $CI_REPOSITORY_URL | perl -pe 's#.*@(.+?(\:\d+)?)/#git@\1:#'` 
like image 162
tsr Avatar answered Sep 21 '22 21:09

tsr


Some finger push-ups still required, but here's a less brittle way of pushing to the repository from its own CI, that I use in my daily work. It pushes to master directly from a detached head:

enter image description here

  1. Generate an RSA key and add it as a Project Deploy Key with write access (the public part).
  2. Put the private part into your CI/CD variables from inside of your project settings as SSH_PUSH_KEY. Make sure to set it as protected.
  3. Add a CI_KNOWN_HOSTS variable, with the SSH fingerprint of your GitLab instance (remember that thing ssh asks you about the first time you try to connect to a host? That.).

Use ssh-keyscan <gitlab-host> to get it. It will look similar to this:

my.gitlab.instance.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArlUMUmNj59PpoLyy4EsKbwhPUfXxuAzFN7dMKDXVvKMmN8344HqQV1tRx6fcmH+0BXK1JAP4f10V0VnYti3e1c5f9dhpl8pIqKLMJgdGDq3MLqjihL3bp5xm8nDsPTm5FoEPPYK1I3M2wr18pBB19evz64NHrK5R/HO5LyTrybVasFumt8cZoH6crnCFgfQWV1mHAG3j41Q0z4yxu6g8zBWESZcVVn90HxQH7+LDHx11122233344491MQGl5fZcKqVWsWQVEssaK87iBsWUxvsuoeVUrj4YRcmbi6F4+ZZZZZZZwwww3ZboWsSWxTk5ESR6WWHccBm8GQflXyY3ZQ== 
  1. Set up your job inside .gitlab-ci.yml as follows. Set stage and resource_group options appropriately - without the latter you might run into race conditions. Also, make sure to set only properly, as otherwise your CI might trigger itself:
"This CI job pushes to its own repo":     stage: my_push_stage     resource_group: this_option_comes_handy_when_pushing     only:         - triggers     before_script:         - mkdir ~/.ssh/         - echo "${CI_KNOWN_HOSTS}" > ~/.ssh/known_hosts         - echo "${SSH_PUSH_KEY}" > ~/.ssh/id_rsa         - chmod 600 ~/.ssh/id_rsa         - git config user.email "[email protected]"         - git config user.name "CI"         - git remote remove ssh_origin || true  # Local repo state may be cached         - git remote add ssh_origin "git@$CI_SERVER_HOST:$CI_PROJECT_PATH.git"     script:         - touch "xyz"  # Make an edit         - git add "xyz"         - git commit -m "My CI commit"         - git push ssh_origin HEAD:master  # ❗ this pushes to master,                                             # use $CI_BUILD_REF_NAME if you want to push to current branch         - git tag MyCiTag  # If you need to add a tag you can do that too         - git push --tags ssh_origin 
like image 30
Błażej Michalik Avatar answered Sep 25 '22 21:09

Błażej Michalik