-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Badge request: Gitlab CI and Gitlab #541
Comments
Thanks for the suggestion! I believe they detail their API here, although I haven't looked into what kind of badges we can provide. |
Unfortantly based on the documentation a authentication key is required no matter what. Would it be possible to get a key that Shields can use? Say for example a Shields account on gitlab just for this purpose? |
We use |
They only seem to be user specific for private projects (not a suggested thing to badge) internal projects and public projects can be viewed by anyone so long as they have an API key. |
+1: any plans on this? |
👍 |
Gitlab now supports CI badge! |
Maybe add Gitlab issues count? |
@lestad But I still prefer Shields badge style. 😅 |
PR #841 has gone stale and needs work. If anyone would like to adopt it, please do! |
The v4 API doesn't require authentication for most things. Unsure if that's what's stalling this or not. |
I wanted to poke around the API on https://gitlab.com before I began working on this and I must say it's weird. The documentation is lacking and in some cases, misleading (wrong?). The docs for issue and merge request state that every API call to these functions must be authenticated but I can access them without any authentication on public projects. Try it yourselves:
This is good for making badges but still, weird documentation. Also, pipeline status(es) can be accessed only by the project owner, as per its documentation but there is a but. Despite the documentation (again), all commits of a public project can be accessed and the pipeline status of the last commit can be retrieved through the commits API. So we can make a badge for it after all. Moreover, implementing a user token cycling subsystem like it was done for GitHub would be a security risk as it might allow other users to access private repository data due to the lack of a fine-grained permission system for application tokens (or personal access tokens). I haven't looked much into it but are we sure this is not a problem with private repositories on GitHub as well? TL;DR We can make it happen but I wish GitLab had better permissions. P.S. I hope GitLab isn't authenticating me through some black magic without a token. Please try the command above to confirm my findings. |
|
Thanks for doing some work on this @LVMBDV - appreciate that even answering the question "is there an API endpoint we can use for this badge?" can take some effort sometimes.
I tried the commands you posted and I am getting a response back. Looking at the response headers, it contains keys:
so it looks like unauthenticated use is rate-limited. Shields has the potential to generate quite high API traffic if we are proxying use for many users of a popular service, so rate limited access may not be suitable for this. We would probably need to authenticate to stay under rate limits/keep consistent service, even if authentication is not needed for repo permissions. Additionally if the behaviour you intend to rely on does not match the documentation, maybe post on https://gitlab.com/gitlab-com/support-forum/issues to clarify. I think its better to ensure the behaviour isn't going to change out from under us before submitting a PR for a badge that relies on it. |
I guess we can do the GitHub token cycling thing with a GitLab application token that doesn't ask for any permissions (just authentication). I tried to create one and I was able to.
I should, maybe tomorrow. Will post a link here when I do. P.S. My authenticated queries came back with the same rate limit (600) so that's another bit of information. |
I made some progress but I would like to push them and open a PR after I clean it up a bit. I got these working without implementing token cycling yet:
What I plan to also implement:
And of course, token cycling. |
Hey, I'm just tuning back into issues here after a little break. Just a heads up that I rewrote and fixed the Github token cycling logic in #1205. It includes a |
The pooling token provider seems like a better solution to the problem at hand but I want to get GitLab support deployed as soon as possible with the smallest maintenance requirements possible. I could wait for #1205 to be merged to resume working on GitLab badges built on its token pools or finish it with its own token pool helpers and leave refactoring it after #1205 is merged to someone else. |
Yea, I don't see merging #1205 any time soon. At the same time, I don't like adding tech debt / deferred maintenance to get in new features. How about this: I'll open a new PR with the helper classes from #1205, and get that merged, and then you merge in master, and update this to use those classes? That way we're moving the ball forward on both fronts. |
That would work for me. Thanks. |
Until now, I did not find any other badges than build status for GitLab. So I created a repository with examples, that use the basic API information without any access tokens: https://gitlab.com/asdoi/gitlab-badges |
@asdoi - Thank you for sharing. However, there's still outstanding issues around Gitlab's API rate limits (which are IP based AIUI). The hope was that Gitlab would be able to offer Shields an increased rate limit threshold if the Shields requests were authorized with a known/agreed-to account; it wasn't really about whether the data could be retrieved anonymously (GitHub supports anonymous API calls too, but Shields can't use them due to rate limiting). IIUC the current thresholds on gitlab.com are 10 requests/second Even during slow/non-peak windows, the Shields servers are issuing well over 1,000 requests/minute to the GitHub APIs, so Shields would almost certainly exceed the Gitlab rate limits given the popularity of the platform. We won't be able to expand Shields' support for Gitlab badges until this rate limiting issue has been solved. |
@calebcartwright Is there an issue open on GitLab tracker? |
I don't know of any @noraj. I know @paulmelnikow had started a dialog with the Gitlab folks but believe the fizzled out. |
But does Shield have to use its own access token? Can user access token be passed to endpoint as a parameter, so that Shield makes an API request with user/group/whatnot token? |
This would be acceptable, as long as it strictly follows the conditions outlined by our contributing guidelines:
In some cases, the scoping options of an API simply don't allow only fetching information or not exposing sensitive information, I'm unsure whether this is the case with GitLab. However, having an access token would be an overall better solution, as it makes it easier for users and is more consistent with most of our other badges, in particular the GitHub ones. @paulmelnikow did you ever get round to opening a feature request on GitLab, as was suggested on Twitter? |
According to the documentation, the limits that would apply to Shields if it were to have its own access token would be:
@calebcartwright mentions that for the GitHub APIs Shields is "issuing well over 1,000 requests/minute", but I think 2,000 requests per minute could be a good starting point for GitLab (considering it is less popular than GitHub). If it gets to the point where Shields calls are rejected because of the limit then we could try to ask GitLab for a higher limit, but from my point of view it seems like it would make sense to start with what we have and see if it is enough. |
There is already an official gitlab badge for pipeline status so it should not be concerned by any rate limit: [![pipeline status](https://gitlab.com/rawsec/rawsec-cybersecurity-list/badges/master/pipeline.svg)](https://gitlab.com/rawsec/rawsec-cybersecurity-list/commits/master) This one if already included in shields.io so I guess we should say the CI part is already done But about generic gitlab badges it's true there is nothing yet in shields.io but it should be feasible since badgen is already doing it (see https://badgen.net/gitlab): |
That's significantly higher than the number I gathered from previously reading through this thread. According to the documentation, the limits also seem to have gone up by quite a bit last January, giving even more headroom. Having a quick look at our dashboards, we peak at ~4000 requests per minute for our GitHub badges, which are by far our most popular offering. Unless I'm missing something, 2000 requests per minute with a single Gitlab token should realistically cover us for the foreseeable future. Given these new numbers that have come to light, I would personally be happy to green light an implementation that relies on a single Gitlab user token (similar to our Discord, YouTube and several other badges). @badges/shields-maintainers any objections? |
Yes, for some time we've had badges in the handful of cases where Gitlab make it possible to get the data without hitting the rate limiting constraints
"Service XYZ is doing it" arguments don't really guide the work we do here in Shields.io. Shields runs on a very different scale and we have very different operational concerns than some of the smaller services @guillermin - thanks for the bump, though two important pieces of context I feel were missing from your note that I want to emphasize
On 2021-01-18 Gitlab apparently changed the limit from 600 requests/minute to 2,000 requests/minute which is indeed a sizeable change that could perhaps unblock us
The previous comment from me that you are quoting was referring to the floor of what we see for GitHub during our absolute slowest traffic hours. As P-Y noted in a subsequent comment, we often see much, much higher traffic which is why we wouldn't want to use that floor as a measuring stick for the total traffic profile of a given set of services like Gitlab. My original point was that our absolute lowest volume for GitHub traffic was nearly double the absolute limit of Gitlab, and that we'd essentially have been guaranteed to hit the Gitlab limits during our more typical traffic load periods.
I definitely think Gitlab's >3x rate limit increase can potentially unblock us here. I don't have any explicit objections, but am still somewhat cautious (though cautiously optimistic now). I feel like both we as maintainers and our users been bitten hard in the past with rate limit driven issues, and I'd really like to avoid getting into a proverbial case of having to try to rebuild the plane midflight. I'm open to starting the work to move forward, but my preference would be that we start small (wire up auth and add one or two badges) and observe for a bit before opening the floodgates. |
My thought was more "it's an open-source service so we may take a look at what they do, they may have found a way to bypass that limit".
Have you tried to open an issue on gitlab.com bug tracker. They set a limit to avoid abuse but they may be ok to set shields.io in a whitelist to avoid you the rate limit since you're a free libre and open source project. I'm sure they we'll be happy to have gitlab supported in a community project like shields.io. |
This question has been asked multiple times already, we're basically going round in circles at this point and creating noise for whoever has subscribed to this issue. Shields.io is a community project, a much more constructive stance would be to help out, open the issue yourself, and report back once you've done so. The Gitlab folks on Twitter have given a few pointers on submitting the feature request. :)
Makes sense. @guillermin if I reopen #6389, would you be happy to extend it a little by adding the API token support that we have in other services (Discord or Twitch are probably a decent examples)? Depending on the popularity of this unique new badge and on Gitlab's response to the feature request that @noraj is hopefully going to open, we can then make an informed decision on whether to add more Gitlab badges or not. 😉 |
Gitlab issue created: https://gitlab.com/gitlab-org/gitlab/-/issues/331960 |
@espadrine @PyvesB @calebcartwright Hi Shields.io team Since I opened the issue on Gitlab, Gitlab Open-source collaboration team has started to work on what they can do with teh API rate limiting. Please answer their questions: |
@guillermin - just a triage ping to see if you had any thoughts on the above question from P-Y relative to picking your PR back up. We've decided that the rate limit increase from earlier this year should give us enough breathing room to start incorporating a few badges, while in parallel continuing the discussions with Gitlab. If someone else wants to pick that up instead, please drop a note here. You can simply fetch the commits by running |
Sorry I haven't followed up on this, I was on vacation. @PyvesB I would gladly extend the PR to add the authentication, but what I don't know is how to handle the creation of the GitLab account: Which credentials (username, email, password) should I use to create the account? The account creation will probably require email validation, who will be able to do that? Where should I store the credentials for future reference? If you can please help me a bit with the GitLab account creation I can proceed with the necessary modifications. |
Excellent, thank you @guillermin
Don't worry about the actual account. Someone from our ops team will take care of the account creation/selection and wire up our production environment with the details, we just need the service class updated to support making authenticated requests with those configured values. Feel free to ping us with any questions on your PR thread and/or Discord if you have any questions about implementation |
In terms of how to add the auth, you may already be on the case but there are existing auth helpers for
in https://github.com/badges/shields/blob/master/core/base-service/auth-helper.js and the credentials will be set in server secrets: https://github.com/badges/shields/blob/master/doc/server-secrets.md |
I'm pleased to share that as of #6988 Shields can now support GitLab badges! This issue was centered on the core, foundational pieces needed to make that happen, and so we've accordingly closed it. Anyone that would like to request a specific GitLab-based badge should follow our standard process by opening a New Badge Request issue with the relevant details. A few final things to note:
|
It would be awesome if Shields supported Gitlab and Gitlab CI. They have a Decent API and it should be 100% feasible.
The text was updated successfully, but these errors were encountered: