3

We are hosting some repository on GitHub, some other on GitLab.

Sometimes, the package is published but not the source code.

We always display build status and code coverage in README.md.

Is there a way to have build and coverage badge on GitLab always accessible to anonymous?

Dimitri Kopriwa
  • 13,139
  • 27
  • 98
  • 204

2 Answers2

2

That was followed by issue 13324

It includes:

FYI, I have a workaround for this using the GitLab API.
It assumes you have created a token in GitLab for a user (Note: That "user" needn't necessarily be Human - my use case is to display a badge on a dashboard hosted on a different VM).

<img src="https://<gitlab-uri>/<namespace>/<project>/badges/<branch>/build.svg?private_token=<token>

Update Dec. 2018: This is no loger possible through a token (see Paul B.'s answer).

This is because of "Improper Enforcement of Token Scope":

The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope.
The issue is now mitigated in the latest release and is assigned CVE-2018-19569.

But...:

Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users.
For instructions on how to do so through the API, please see our support issue.

And you also have a current workaround which repeats the API access:

It is possible to add the project avatar to the project repository with a particular filename (logo) and then this file will be used for the avatar. There is an example here:

https://gitlab.com/issue-reproduce/project-avatar-repo

You'll be able to retrieve the files through the Repository Files API:

https://docs.gitlab.com/ee/api/repository_files.html#get-file-from-repository

Example:

https://gitlab.com/api/v4/projects/issue-reproduce%2Fproject-avatar-repo/repository/files/logo.png?ref=master
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • can it be a token without permissions for any project ? – Dimitri Kopriwa Jun 16 '18 at 17:19
  • @BigDong if the user whose token you using has access to all project (like an admin account), then yes: any project. You have some way to limit its scope: https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html#limiting-scopes-of-a-personal-access-token (and it is still improving: https://gitlab.com/gitlab-org/gitlab-ce/issues/41165) – VonC Jun 16 '18 at 17:28
  • The token for admin account will give read access to anonymous people to all our gitlab. Is that what you are recommending? – Dimitri Kopriwa Jun 16 '18 at 17:43
  • @BigDong no, I would recommend setting up a dedicated account per group, for restricting access to the projects that need that kind of access/usage. Again, this is a workaround. – VonC Jun 16 '18 at 17:45
  • Thank you for your answer, but your workaround involves to open the project publicly so it should not be advised as it is. Could you please confirm that currently there is no way around other than making the project public? (token or general perms) – Dimitri Kopriwa Jun 16 '18 at 19:28
  • @BigDong no other workaround that I know of. And yes, that token would not give access just to the project build status. That is why https://gitlab.com/gitlab-org/gitlab-ce/issues/41165 is so important. – VonC Jun 16 '18 at 19:30
  • I have upvoted your issues so we all get more visibility on it. Thanks – Dimitri Kopriwa Jun 16 '18 at 19:32
2

Since release 11.4.8 of Gitlab it's not possible to expose project's Badges through a Personnal Access Token anymore. Because of the change " Restrict Personal Access Tokens to API scope on web requests."

The commit that removed this "workaround" was published as a security fix

An ongoing issue is currently being discussed to find another solution. Let's see how it goes.

Paul B.
  • 85
  • 1
  • 6