2

I am currently trying to every single commit out of my gitlab project and put them on a database. I also have a table with all the users of the project which I want to connect with the Commit table.

I get all the users of the project via the command 1- for user in self.project.users.list(all = True).

I get all the commits via the command 2- for c in self.project.commits.list(all = True): .

I was trying to use the .author_name property of every commit to associate the commits to a user. But I noticed that some of the people in the project had altered their name mid project and now the names I get from command 1 are different from the name given via the .author_name property.

Is there any way to fix this?

Edgar Tip
  • 43
  • 2
  • 7
  • The author name, author email, committer name and committer email are user-defined. Git allows users to set these properties with any valid strings. Without a mapping table, Git doesn't know which names/emails belong to the same user. Git has mailmap, https://git-scm.com/docs/gitmailmap. The mailmap helps git commands to consider multiple names/emails as the same user. But you still need to maintain the mailmap manually. – ElpieKay Nov 29 '21 at 03:21
  • Unfortunately, there's no way to handle this retroactively for reasons mentioned by @ElpieKay. To make this association more reliable in the future, you can configure push rules to require that the committer email matches an existing GitLab user. That way, you can associate commit emails and be sure that a corresponding GitLab user with the same email _should_ exist. However, users can change their own email, which can lead to the same principle issue you have. Another possible way may be to require GPG signing of all commits, which you can then use to identify the user more positively. – sytech Nov 29 '21 at 22:20

1 Answers1

1

Because git commit information is independent of GitLab user information, there's no reliable way to do this -- at least not retroactively or with 100% accuracy/certainty in every circumstance.

For example, a user can easily create a commit with an author/committer name/email that simply does not exist.

git config --local user.name "A fictitious name"
git config --local user.email "nonexistant@example.com"
git commit -m "you cant find me"
git push  # works fine

However, you may be able to make this lookup and association more reliable by one or more methods.

Push rule to ensure committer email is a GitLab user

A push rule can be setup using the predefined push rule "Check whether the commit author is a GitLab user" which will make sure that the author email matches the email of an active GitLab user.

This would make mapping commits back to GitLab users more reliable because the author email has to be a valid/active GitLab user.

The same example above would fail to push due to this rule. However, over time, a user may change their email and that will lead to a similar issue you're experiencing today.

Requiring GPG signatures for all commits

Similar to the "Check whether the commit author is a GitLab user" push rule, another possible way to make this association more reliable would be to require verified commits (GPG signing) for all commits using the "reject unverified commits" push rule. That way, you can more readily rely on the signature information to relate it back to a particular user.

If a commit is verified, that means that the commit is (1) signed using a GPG key, (2) that GPG key email matches a verified email for the GitLab User, and (3) the commit email matches the GPG key email.

Additionally, the GPG signature will contain the username and email in the signature itself.

for c in self.project.commits.list(as_list=False)
    signature = c.signature() # the commit needs to be signed for this to work
    print(c, 
          'was authored by', 
          signature['gpg_key_user_name'], 
          signature['gpg_key_user_email']
    )

This is essentially the same information shown in the GitLab UI for a verified commit:

verified commit in GitLab UI

Cross-referencing against the user API

With either of the two approaches described above, the commit information (committer email or GPG key ID) could further be cross-referenced against the users API. For example, if a committer is still an active GitLab user, you can use the API to find every user's email addresses or GPG keys and cross-reference them with the commit information.

Of course, this will only apply to commits/projects created after the commit signing rule is established. You can't retroactively create this information for existing commits. Some other caveats apply.

Because information provided by the user API can change over time (emails and GPG keys can be added/removed over time or users can be deleted from GitLab altogether) it should stand to reason that this it will not always be possible to obtain the GitLab User ID from a particular commit in every scenario.

The only way to reconcile changes in such cases would be to audit changing state over time (e.g. by referring to GitLab server logs or audit logs on self-managed instances).

sytech
  • 29,298
  • 3
  • 45
  • 86