Can not interact with API from git hooks in a convenient and safe manner
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
It should be possible to access the API in the context of running git hooks in a safe and convenient manner.
Problem to solve
We need to be able to enforce certain restrictions when users are pushing, but only to protected branches, and not to e.g. the user's own feature branches. Hence, we want to be able to use the API from a git hook to get the names of protected branches for the project, currently handled by the git hook.
Right now, one way of achieving this is to store a personal access token somewhere, e.g. on disk, or directly as a string in the git hook code, possibly with elevated privileges. But storing an access token statically like this is not ideal for a couple of reasons:
- Files on disk may be read by others, deleted, corrupted, etc.
- A personal access token for the purpose of git hooks, on e.g. the administrator user, doesn't allow us to take into consideration the privileges of the user triggering the git hook.
- If tokens need to have an expiration date, then this means that the git hooks periodically require administration even if the hooks themselves don't need to be updated.
Intended users
Sidney (Systems Administrator)
Isaac (Infrastructure Engineer)
Alex (Security Operations Engineer)
User experience goal
It should be possible to access the API from a git hook context without having to generate and store access tokens for a specific user or role on disk or in the git hook code as a clear text string. A benefit of this is that the Intended users do not have to:
- Periodically renew these access tokens.
- Keep GitLab and the stored token in sync.
- Consider the security risks of having tokens stored in a potentially unsafe manner.
- Consider the potential security risks of accessing the API with different privileges than that of the user that triggered the git hook.
Proposal
To allow admins to configure temporary access tokens in the context git hooks, similar to how GitLab already has CI/CD job tokens, such that they exist when the git hook(s) run and expire directly afterward.