Page MenuHomePhabricator

Automate setup of comment, pipeline, and job webhooks for all GitLab projects
Open, MediumPublicFeature

Description

Getting comment, pipeline, and job events out of GitLab would be a nice addition to the data that is currently collected by gitlab-webhooks using the system hooks integration. Unfortunately these are not as easy for us to manage centrally as they must be configured at the project level in GitLab CE. Group level integration for these events is only possible with a paid subscription.

We do however get a system level event when any project is created, so it would be possible to use the hooks API endpoints to manage per-project hooks with a bot. It will not be possible to use a single validation token with these integrations. The hook configuration will be visible to the owners of each project and thus expose the validation token to them. I think we can dream up a system that varies this token per-project so that the owners of project A cannot spoof events for project B. Using a pepper hashed with the project namespace and path would likely be the simplest method of validation.

Event Timeline

bd808 triaged this task as Medium priority.Apr 18 2024, 10:37 PM
bd808 changed the subtype of this task from "Task" to "Feature Request".

I guess my other thought about a home for this is that it could live in gitlab-settings/configure-projects - a script which really does very little, and could be a lot smarter about what it does do, but does already iterate over projects and change some settings.

I guess my other thought about a home for this is that it could live in gitlab-settings/configure-projects - a script which really does very little, and could be a lot smarter about what it does do, but does already iterate over projects and change some settings.

Nice. I found a Puppet module that clones that git repo, but I haven't yet spotted where and when configure-projects gets run. Is it on a systemd timer somewhere?

Judging by the current implementation I imagine it is meant to run periodically (daily?) to reset things that project owners may have changed against default policy. This would seem like a good place to verify hook configuration. We might still want something reacting to project creation to do the initial setup so that folks don't have to wait up to a day to see events from their new project.

I haven't yet spotted where and when configure-projects gets run. Is it on a systemd timer somewhere?

It is on a timer, but that timer is on @thcipriani's laptop today. Let's add correcting that to our list of things to do as well. ;)