Open in app

Sign in

Write

Sign in

Tag your Git repo using Gitlab’s CI/CD pipeline

Neron Joseph
5 min readOct 2, 2020

--

Photo by Pankaj Patel on Unsplash

Git Tagging is an important feature of git in order to mark release points (v1.0, v2.0, and so on). Developers know the advantage of tagging and proper tagging is required when we release a new version.

Nowadays, DevOps engineers are handling the build and deployment process with the help of CI/CD pipelines. After each release, we may need to tag that repo. Here, we are looking at methods of tagging using Gitlab’s CI/CD pipeline code (.gitlab-ci.yml).

Here, we are describing 3 methods for tagging. The method or the commands to tag the repo is similar in all the 3 cases. The difference is in the authentication part. As we are trying to tag our repo from the CI pipeline, we should authenticate to the repo from the pipeline first. Given below are the different methods for authentication.

  1. Using Gitlab Personal Access Token
  2. Using GitLab Personal Access Token with a Robot account instead of a personal account
  3. Using Gitlab’s username and password

In all the above cases, GitLab authentication details are required when we run the pipeline. So, it is not a security best practice to add secrets in Git as plain text. GitLab has a feature called CICD variables to store information like passwords, secret keys, etc. Given below are the steps for creating a protected environment variable in GitLab.

  1. Go into your repository and click on the Settings section
  2. Under Settings, click on CI/CD
  3. Under the CICD section, click on the Variables section and then click Expand button
  4. Click on Add variable and add your secret with a variable name
  5. Check the Mask variable checkbox to mask this value when printing in the pipeline
  6. Done
Section to Add secret in GitLab

Once the secrets are added, you can use this variable in the below format in the pipeline code.

${TEST_SECRET}

Now, we can get back into the different authentication methods for Git tagging (in our case).

Method 1: Using Gitlab Personal Access Token

We can use Gitlab’s Personal Access Tokens to authenticate to GitLab from your pipeline. You can find the details about Personal Access Tokens and their creation method here. In order to use this method, we will be creating a Personal Access Token first. Given below are the steps for creating a Personal Access Token:

  1. Login to your Gitlab account.
  2. In the upper right corner, click your avatar and select Preferences
  3. On the user settings menu, select Access Tokens
  4. Choose a name and an optional expiry date for the token
  5. Check the scopes read_repository and write_repository from the list
  6. Click the Create personal access token button
  7. Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you will lose the token and you must create a new one

Given below is an image of the Personal Access token section in Gitlab:

Access Token section in Gitlab

Once the Personal Access Token is created, we can use the code given below for tagging the git repo. The pipeline code with Personal Access Token is given below.

image: docker:19.03.12

services:
  - docker:19.03.12-dind

stages: 
  - tagging

Tagging from pipeline: 
  stage: tagging
  script: 
    # You can write your pipeline code for build/deploy here
    - docker info
  after_script:
    - apk update && apk add git
    - git --version
    - git remote remove origin
    - git remote add origin https://oauth2:${PERSONAL_ACCESS_TOKEN}@gitlab.com/account-name/project-name
    - git config user.email <your-gitlab-email_id>
    - git config user.name <your-gitlab-username>
    - git tag -a v1.0 -m "Release version 1.0"
  only: 
    - master

Explanation:
The given code is a docker-based pipeline code. We used the after_script section in .gitlab-ci.yaml file for Git tagging. Here, we are installing Git to the Alpine docker image (or you can also use any image of your choice that has Git installed). Then, we are removing the existing origin and adding a new remote origin with our GitLab Personal Access token. Here, we assume the Personal Access Token is added as GitLab CICD variables.

You can replace the below values to get this code running on your pipeline.

  1. PERSONAL_ACCESS_TOKEN (need to add as CICD variable)
  2. account-name
  3. project-name
  4. <your-gitlab-email_id>
  5. <your-gitlab-username>

The advantages of using this authentication method are:

  1. We are not exposing our personal Gitlab credentials anywhere (username or password)
  2. Personal Access Token can be revoked at any time and can create a new one

Method 2: Using GitLab Personal Access Token with a Robot account instead of a personal account

This method is exactly similar to the above method but the only difference is that we are using a separate GitLab account (as a robot account) instead of your personal account.

The advantages of using this method are:

  1. You don’t need to share your personal account’s access tokens for pipeline use cases
  2. You can use this account for multiple repositories and namespaces
  3. You can isolate and limit the access of this account only for use cases like this
  4. You can easily revoke permissions to this account. If you were using your personal account credentials, this may be difficult considering your other projects.

Method 3: Using Gitlab’s username and password

This is the simplest method among the options, as we are directly using our Gitlab username and password in the pipeline code for tagging. This method is not recommended for a group project. But, if you are the only one working on this repo, you can consider this as well (but not recommended). I’m just providing the method details here only for you to know about this method. Given below is the code sample that we can use for tagging from CI/CD pipeline.

image: docker:19.03.12
services:
  - docker:19.03.12-dind
stages: 
  - tagging
Tagging from pipeline: 
  stage: tagging
  script: 
    # You can write your pipeline code for build/deploy here
    - docker info
  after_script:
    - apk update && apk add git
    - git --version
    - git remote remove origin
    - git remote add origin @gitlab.com/account-name/project-name">https://${USERNAME}:${PASSWORD}@gitlab.com/account-name/project-name
    - git config user.email <your-gitlab-email_id>
    - git config user.name <your-gitlab-username>
    - git tag -a v1.0 -m "Release version 1.0"
  only: 
    - master

Here also, we used CICD environment variables for the username and password.

Explanation:
Here, the code is similar to the one that we explained above. But the main difference is that we used our GitLab username and password directly instead of creating any access tokens. From the code section given above, you just need to replace these values and run it.

  1. ${USERNAME}
  2. ${PASSWORD}
  3. account-name
  4. project-name
  5. <your-gitlab-email_id>
  6. <your-gitlab-username>

As we know, going with the simplest method has its own pros and cons.

Pros:

  1. No additional settings or configurations are required

Cons:

  1. Gitlab’s username and password are exposed in the pipeline code (not as plain text, as we used CICD environment variables)
  2. Even if we use CICD variables, if there are multiple persons on the project with higher privileges, they can view the credentials from the CICD section. Currently, GitLab variables can be viewed at any time, unlike GitHub secrets.
  3. If we change our Gitlab password, we need to change that in the pipeline code or variable too

Thanks ! ! !

Gitlab Ci
DevOps
Ci Cd Pipeline

--

--

Neron Joseph

Written by Neron Joseph

25 Followers

DevOps Engineer | Cloud Evangelist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams