Closed rarkins closed 3 years ago
yangm97
commented
3 years ago Gitlab 13.5 added Project Scoped tokens https://gitlab.com/groups/gitlab-org/-/epics/2587
Gitlab 13.11 added group wide Oauth application support https://docs.gitlab.com/ee/integration/oauth_provider.html#group-owned-applications
Does it look like either of these would suffice?
rarkins
commented
3 years ago Before we check if their security model is satisfactory, are they supported on all gitlab.com plans?
mbrodala
commented
3 years ago Group level apps are available for everyone in every tier.
But project access tokens are currently not available in the free tier of gitlab.com:
rarkins
commented
3 years ago Group-level apps appear to be just a way to do private OAuth apps and does not support "bot" semantics, unless I misunderstand it. If we were to switch to an OAuth approach (meaning "the bot" doesn't make MRs as itself, it makes them as you the end user) then does it present any advantage over an instance-wide OAuth app?
rarkins
commented
3 years ago I'm going to archive this repository so that we have conversations in one place.
Gamesh
commented
3 years ago @rarkins where is this one place you're having conversations in?
rarkins
commented
3 years ago
The app for gitlab.com is indefinitely off-line as mentioned here: https://docs.renovatebot.com/install-gitlab-app/
In short, it's because malicious users could invite Renovate into their project and leverage the fact that pipelines in GitLab run with the credentials of the account that triggered CI to:
The app could be re-enabled under one of several circumstances:
CI_JOB_TOKENto be scoped only to the Project it runs inI will leave this issue open until either a solution is arrived at or we decided against all of the above being feasible, so please subscribe to it if you're interested to hear updates.