feat: add ci-job-token support as alternate authentication method with GitLab (b0bb43d1) · Commits · to be continuous... / semantic-release

README.md

+13 −1

Original line number	Diff line number	Diff line
		@@ -51,7 +51,7 @@ The semantic-release template uses some global configuration used throughout all
		\| `image` / `SEMREL_IMAGE` \| The Docker image used to run semantic-release \| `docker.io/library/node:lts-slim` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-SEMREL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-SEMREL_IMAGE) \|
		\| `version` / `SEMREL_VERSION` \| The [semantic-release](https://www.npmjs.com/package/semantic-release) version to use \| `latest` \|
		\| `exec-version` / `SEMREL_EXEC_VERSION` \| The [@semantic-release/exec](https://www.npmjs.com/package/@semantic-release/exec) version to use \| `latest` \|
		\| :lock: `GITLAB_TOKEN` \| A GitLab [project access token](https://docs.gitlab.com/user/project/settings/project_access_tokens/) or [personal access token](https://docs.gitlab.com/user/profile/personal_access_tokens/) with `api`, `read_repository` and `write repository` scopes. :warning: This variable is mandatory and [defined by `semantic-release`](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/ci-configuration.md#push-access-to-the-remote-repository) itself. \| _none_ \|
		\| :lock: `GITLAB_TOKEN` or `GL_TOKEN` \| A GitLab [project access token](https://docs.gitlab.com/user/project/settings/project_access_tokens/) or [personal access token](https://docs.gitlab.com/user/profile/personal_access_tokens/) with `api`, `read_repository` and `write_repository` scopes.<br/>ℹ️ See [other supported authentication methods](#supported-authentication-methods) \| _none_ (uses `CI_JOB_TOKEN` automatically) \|
		\| :lock: `GIT_AUTHOR_EMAIL` \| A Git author email address associated with the `GITLAB_TOKEN` [bot user](https://docs.gitlab.com/user/project/settings/project_access_tokens/#bot-users-for-projects). This is [defined by `semantic-release`](https://semantic-release.gitbook.io/semantic-release/usage/configuration#git-environment-variables) itself, and required if the [verify-user push rules](https://docs.gitlab.com/user/project/repository/push_rules/#verify-users) enabled for the project \| _none_ \|
		\| :lock: `GIT_COMMITTER_EMAIL` \| A Git committer email address associated with the `GITLAB_TOKEN` [bot user](https://docs.gitlab.com/user/project/settings/project_access_tokens/#bot-users-for-projects). This is [defined by `semantic-release`](https://semantic-release.gitbook.io/semantic-release/usage/configuration#git-environment-variables) itself, and required if the [verify-user push rules](https://docs.gitlab.com/user/project/repository/push_rules/#verify-users) enabled for the project \| _none_ \|
		\| `config-dir` / `SEMREL_CONFIG_DIR` \| directory containing your [semantic-release configuration](https://semantic-release.gitbook.io/semantic-release/usage/configuration#configuration-file) \| `.` \|
		@@ -59,6 +59,18 @@ The semantic-release template uses some global configuration used throughout all

		Jobs will extract required plugin packages from discovered configuration. If your configuration needs additional packages, add them, one per line, to `SEMREL_REQUIRED_PLUGINS_FILE` file. Each line must be a valid `npm install` package argument.

		## Supported authentication methods

		The semantic-release template automatically handles GitLab authentication using the following priority:

		1. Explicit Token:
		- Set `GITLAB_TOKEN` or `GL_TOKEN` as a [project access token](https://docs.gitlab.com/user/project/settings/project_access_tokens/) or [personal access token](https://docs.gitlab.com/user/profile/personal_access_tokens/)
		- Requires `api`, `read_repository`, and `write_repository` scopes
		2. Automatic CI_JOB_TOKEN:
		- Used automatically when no explicit token is provided
		- Requires enabling [Allow Git push requests to the repository](https://docs.gitlab.com/ci/jobs/ci_job_token/#allow-git-push-requests-to-your-project-repository)
		- Navigate to: `Settings → CI/CD → Job token permissions` in your project

		## Jobs

		### `semantic-release` job

templates/gitlab-ci-semrel.yml

+28 −1

Original line number	Diff line number	Diff line
		@@ -543,10 +543,21 @@ stages:
		else
		debug="false"
		fi

		if [[ "$GITLAB_TOKEN" ]]; then
		log_info "using \\e[33;1mGITLAB_TOKEN\\e[0m for authentication"
		elif [[ "$GL_TOKEN" ]]; then
		log_info "using \\e[33;1mGL_TOKEN\\e[0m for authentication"
		else
		log_info "using \\e[33;1mCI_JOB_TOKEN\\e[0m for authentication"
		log_info "ensure 'allow CI job tokens to push to this repository' is enabled at ${CI_PROJECT_URL}/-/settings/ci_cd#js-token-access"
		fi

		commitPresetConfig=$(generate_commit_preset_conf)
		changelogPluginConfig=$(generate_changelog_plugin_conf)
		execPluginConfig=$(generate_exec_plugin_conf)
		gitPluginConfig=$(generate_git_plugin_conf)
		gitlabPluginConfig=$(generate_gitlab_plugin_conf)
		{
		echo "debug: ${debug}"
		echo ""
		@@ -557,7 +568,7 @@ stages:
		echo "${commitPresetConfig}"
		echo " - - '${SEMREL_RELEASE_NOTES_GENERATOR_PLUGIN}'"
		echo "${commitPresetConfig}"
		echo " - '${SEMREL_GITLAB_PLUGIN}'"
		echo "${gitlabPluginConfig}"
		echo "${changelogPluginConfig}"
		echo "${execPluginConfig}"
		echo "${gitPluginConfig}"
		@@ -620,6 +631,22 @@ stages:
		fi
		}

		# This script determines the authentication method used for the semantic-release/gitlab plugin.
		#
		# Authentication priority:
		# 1. GITLAB_TOKEN or GL_TOKEN (explicit Project Access Token)
		# 2. CI_JOB_TOKEN (automatic fallback)
		#
		# This script console output is inserted in generated file: DO NOT ADD LOGS
		function generate_gitlab_plugin_conf() {
		if [[ -n "$GITLAB_TOKEN" ]] \|\| [[ -n "$GL_TOKEN" ]]; then
		echo " - '${SEMREL_GITLAB_PLUGIN}'"
		else
		echo " - - '${SEMREL_GITLAB_PLUGIN}'"
		echo " - useJobToken: true"
		fi
		}

		# this script console output is inserted in generated file: DO NOT ADD LOGS
		function generate_changelog_plugin_conf() {
		if [[ "${SEMREL_CHANGELOG_ENABLED}" = "true" ]]; then