-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Can revision calculation for SCM mode be changed to allow the user to identify URL pattern? #3683
Comments
Thanks for your request. Yes, this is something that we also had some awareness of and we wanted to try to improve it, lets try to have a look. |
You should be able to configure your setup as follows: Your GitLab instance is: git.stratovan.com First, specify your URL as https. This makes it also possible for your IDEs to make it clickable if supported etc.: class Recipe(ConanFile):
url = "https://git.stratovan.com/Stratovan/Encircle/Encircle.git" Second, configure your CI to use a credential helper (note that the quoting and escaping might be off): git config credential.helper '!f() { test "$1" = "get" && printf "username=gitlab-ci-token\npassword=%s" "${CI_JOB_TOKEN}"; }; f' You can make it more specific with [credential "https://git.stratovan.com"]
helper = "!f() { test \"$1\" = \"get\" && printf \"username=gitlab-ci-token\\npassword=%s\" \"${CI_JOB_TOKEN}\"; }; f" Third, tell your ssh-key-using users to setup their [url "[email protected]:"]
insteadOf = "https://git.stratovan.com/" Their
For your non-ssh users you do not need to change anything, they should be prompted by their OS for their credentials and perform any MFA-flows within the browser. The result should be:
You can find some additional background and discussion in conan-io/conan#15684 (comment). |
Did you manage to test the suggestions from @shoeffner (thanks very much, great idea and great explanation!) I think that approach sounds a solid one, we might add it to the docs even. |
Apologies. We've recently had some company restructuring and my conan work/investigations has been interrupted. I have not had a moment to test the proposed method, but it seemed very sound and good. |
No prob, thanks for the feedback! I am moving this to the docs for adding the above hints there, no change necessary at the client at the moment, but please don't hesitate to open new tickets if there is any gap when you manage to test it, thanks. |
What is your suggestion?
We are using the Capturing Git scm information pattern. Specifically for one of the reasons identified in the documentation. We work with code where usage of the header files and libraries is open to everyone, but for security reasons the code is limited to people with the appropriate permissions.
However, we are hitting the issue outlined in the Credentials management section.
We use Gitlab with two factor authentiation.
For development work, we use SSH. However the CI/CD pipelines we have use HTTP combined with their unique job tokens.
In gitlab, every job generates a token that is good for the duration of that job and then becomes invalid. It's unique for every job.
We have multiple linux and windows compiles and they are creating different revisions for the same SCM SHA because of the origin URL.
The origin URL is in the format
This is of course problematic because the generated package has a unique value,
the CI_JOB_TOKEN for every job compile. Moreover, the gitlab ci/cd pipeline uses https, while all devs use ssh. Meaning the ci/cd packages wouldn't be useable by devs.
I know conan recoimmends using SSH and provids a workflow for github to securely use SSH. But that method is not available in GitLab. The GitLab CI/CD SSH method is for the runners to have an appropriate
/.ssh
folder with the keys, etc. That makes SSH extremely insecure in GitLab because any repository yaml could dump the contents of those folders, or save the folder as an aritfact, etc. Long story short, using SSH in Gitlab CI/CD is not a secure or acceptable solution.My team and I have batted around some ideas for this and we're currently using a workaround of
In our replacement scenario, we only do replacement when the origin has
git.stratovan.com
as that is our code manager.However, we were wondering about a feature that might allow one to create a pattern for the origin URL for situations like this.
For example we noticed the the two origins that might be used are
It seems like a filter pattern could be used to remove the prefix using a regular expression such as
^.*?git.stratovan.com\(:2222\)*
from the origin and use just the remainder of the stringStratovan/Encircle/Encircle.git
for the revision calculation.Could a feature like this be added? What would be the reason to not do something like this?
Have you read the CONTRIBUTING guide?
The text was updated successfully, but these errors were encountered: