Phabricator tasks have a "Details" section that automatically lists related Gerrit patches and their status, based on the Bug: commit footers. The same should be done for Gitlab patches.
Description
Description
Related Objects
Related Objects
- Mentioned In
- T407111: Unknown Configuration Option "gitlab.api_key" in Phab Local Config
T385930: Consider disabling personal access token forced expiration - Mentioned Here
- T385930: Consider disabling personal access token forced expiration
T324149: Build a widget to display GitLab changes on related Phabricator tasks
Event Timeline
Comment Actions
This exists - see T324149: Build a widget to display GitLab changes on related Phabricator tasks for background. Seems to be currently broken, I'm guessing because a token expired. I'll investigate during tomorrow's workday.
Comment Actions
Sure enough:
curl --silent --request GET \
--header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)"
--header 'Content-Type: application/json' \
'https://gitlab.wikimedia.org/api/v4/personal_access_tokens/357' | jq '.'
{
"id": 357,
"name": "mr-widget-token",
"revoked": false,
"created_at": "2023-03-15T17:31:07.707Z",
"scopes": [
"read_api"
],
"user_id": 682,
"last_used_at": "2024-08-01T23:54:34.929Z",
"active": false,
"expires_at": "2024-08-02"
}I found the token via:
curl --request POST --silent \
--header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)" \
--header 'Content-Type: application/json' \
'https://gitlab.wikimedia.org/api/v4/admin/token' \
-d '{"token": "'"$(pass Wiki/gitlab-phab-token)"'"}' | jq '.'
{
"id": 357,
"name": "mr-widget-token",
"revoked": false,
"created_at": "2023-03-15T17:31:07.707Z",
"scopes": [
"read_api"
],
"user_id": 682,
"last_used_at": "2024-08-01T23:54:34.929Z",
"active": false,
"expires_at": "2024-08-02"
}I can rotate it via:
curl --silent --request POST \
--header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)" \
--header 'Content-Type: application/json' \
'https://gitlab.wikimedia.org/api/v4/personal_access_tokens/357/rotate' \
--data '{"id": 357, "expires_at": "'"$(date --date='+364 days' -I)"'"}' | jq '.'That will give me:
{
"id": 357,
"name": "mr-widget-token",
"revoked": false,
"created_at": "2023-03-15T17:31:07.707Z",
"scopes": [
"read_api"
],
"user_id": 682,
"last_used_at": null,
"active": true,
"expires_at": "2024-02-06",
"token": <new-token>
}But where does the new token go? (NOTE: I have not done this yet, experimented with my own tokens)
Comment Actions
There's profile::phabricator::main::gitlab_api_key in private Hiera which seems likely.
Comment Actions
There's profile::phabricator::main::gitlab_api_key in private Hiera which seems likely.
Yeah, that'll be it. Then once Puppet has dropped that into /etc/phabricator/config.yaml, a Phabricator deploy will copy it to the correct local.json.
I created a new one under gitlab-mentions-bot a bit ago but actually I think this was originally a project-level token for whatever project id 1031 is...
...repos/phabricator/extensions, according to the API. Makes sense I guess.
Comment Actions
Rotated the token. The new on is in:
thcipriani@phab1004:~$ ls -lhA 2025-02-07-T385480.token -rw------- 1 thcipriani wikidev 269 Feb 7 20:05 2025-02-07-T385480.token
Just need an SRE to update that private heira value with the token.
Comment Actions
<3
I think we just need a config deploy of phab to pick up the new token, then. @brennen whenever you get a chance to do the needful there and then we can close this'n out.
Comment Actions
{{done}} - thanks all. I'll spend some time documenting various GitLab tokens and maybe set up a calendar with reminders.
I suppose at least theoretically, we could have a service that rotates tokens, although they're definitely scattered around a bunch of places...
Comment Actions
Mentioned in SAL (#wikimedia-releng) [2025-02-07T22:14:17Z] <brennen> phab/phorge: replaced mr-widget token in deployed config (T385480)
Comment Actions
Thanks everyone!
- Is this something to document (or at least a task to link?) on https://wikitech.wikimedia.org/wiki/Phabricator for the next person wondering ?
Would it make sense to add some code to https://gitlab.wikimedia.org/repos/phabricator/extensions/-/blob/wmf/stable/src/customfields/GitLabPatchesCustomField.php which somehow™ allows us/someone to realize when things break and why they broke?see T385930