0

I'd like to get the state of a merge request approval via the gitlab API with

GET /projects/:id/merge_requests/:merge_request_iid/approval_state

This call needs a account based access token with api level permissions (read/write on everything). This is not secure because I want to use this call within a pipeline where others might see/use my token.

Is there a possibility to make this call with a project based token?

The docs can be found here

hottehead
  • 43
  • 7

1 Answers1

0

You can save your token inside your project settings.
Take a look here: https://docs.gitlab.com/ee/ci/variables/#via-the-ui

From the UI, navigate to your project’s Settings > CI/CD and expand Variables.
Create a new variable by choosing its type, naming it in the field Input variable key, and defining its value in the Input variable value field

So for example, you'll save your token in variable: TOKEN. Then you can easily use this variable inside your .gitlab-ci.yml script:

script:
  - curl --header "Private-Token: $TOKEN" https://gitlab.example.com/api/v4/projects
Aviad Levy
  • 750
  • 4
  • 13
  • Thanks for the hint. This indeed gives a little more security as not everyone can see the plain token. However it does not prevent other developers from using my token within a pipeline of that project and doing all sorts of stuff in my name. – hottehead Dec 12 '19 at 14:23
  • A simple `Developer` (one with `Developer` permissions) do not have access to this variable. Only `Maintainer` or `Owner` do. Read more here: https://docs.gitlab.com/ee/user/permissions.html – Aviad Levy Dec 12 '19 at 21:16
  • True, this reduces visibilty and editability. But usage of the variable within pipelines is unrestricted so far? It seems like they want to base job permission on the user who triggered the pipeline. Can be found in the listing [here](https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#new-ci-job-permissions-model). `It opens a lot of possibilities to further enforce user permissions, like allowing only specific users to access runners or use secure variables and environments.` – hottehead Dec 13 '19 at 09:59