Page MenuHomePhabricator
Create Task
Maniphest T385480

Show related Gitlab patches on Phabricator tasks
Closed, ResolvedPublicFeature
Actions

Description

Phabricator tasks have a "Details" section that automatically lists related Gerrit patches and their status, based on the Bug: commit footers. The same should be done for Gitlab patches.

Related Objects

Event Timeline

Tgr created this task.Feb 3 2025, 2:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 3 2025, 2:20 PM
DAlangi_WMF subscribed.Feb 3 2025, 2:40 PM
brennen claimed this task.Feb 4 2025, 2:45 AM
brennen edited projects, added Release-Engineering-Team, User-brennen, GitLab (Integrations); removed GitLab.
brennen subscribed.

This exists - see T324149: Build a widget to display GitLab changes on related Phabricator tasks for background. Seems to be currently broken, I'm guessing because a token expired. I'll investigate during tomorrow's workday.

Aklapper added a project: Regression.Feb 4 2025, 9:21 AM
brennen moved this task from INBOX to Doing 😎 on the Release-Engineering-Team board.Feb 5 2025, 5:41 PM
brennen edited projects, added Release-Engineering-Team (Doing 😎); removed Release-Engineering-Team.
thcipriani subscribed.Feb 7 2025, 6:52 PM
In T385480#10519638, @brennen wrote:

This exists - see T324149: Build a widget to display GitLab changes on related Phabricator tasks for background. Seems to be currently broken, I'm guessing because a token expired. I'll investigate during tomorrow's workday.

Sure enough:

curl --silent --request GET \
  --header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)"
  --header 'Content-Type: application/json' \
  'https://gitlab.wikimedia.org/api/v4/personal_access_tokens/357' | jq '.'
{
  "id": 357,
  "name": "mr-widget-token",
  "revoked": false,
  "created_at": "2023-03-15T17:31:07.707Z",
  "scopes": [
    "read_api"
  ],
  "user_id": 682,
  "last_used_at": "2024-08-01T23:54:34.929Z",
  "active": false,
  "expires_at": "2024-08-02"
}

I found the token via:

curl --request POST --silent \
  --header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)" \
  --header 'Content-Type: application/json' \
  'https://gitlab.wikimedia.org/api/v4/admin/token' \
  -d '{"token": "'"$(pass Wiki/gitlab-phab-token)"'"}' | jq '.'
{
  "id": 357,
  "name": "mr-widget-token",
  "revoked": false,
  "created_at": "2023-03-15T17:31:07.707Z",
  "scopes": [
    "read_api"
  ],
  "user_id": 682,
  "last_used_at": "2024-08-01T23:54:34.929Z",
  "active": false,
  "expires_at": "2024-08-02"
}

I can rotate it via:

curl --silent --request POST \
  --header "PRIVATE-TOKEN: $(pass Wiki/gitlab-admin-token | head -1)" \
  --header 'Content-Type: application/json' \
  'https://gitlab.wikimedia.org/api/v4/personal_access_tokens/357/rotate' \
  --data '{"id": 357, "expires_at": "'"$(date --date='+364 days' -I)"'"}' | jq '.'

That will give me:

{
  "id": 357,
  "name": "mr-widget-token",
  "revoked": false,
  "created_at": "2023-03-15T17:31:07.707Z",
  "scopes": [
    "read_api"
  ],
  "user_id": 682,
  "last_used_at": null,
  "active": true,
  "expires_at": "2024-02-06",
  "token": <new-token>
}

But where does the new token go? (NOTE: I have not done this yet, experimented with my own tokens)

taavi subscribed.Feb 7 2025, 7:03 PM
In T385480#10532529, @thcipriani wrote:

But where does the new token go? (NOTE: I have not done this yet, experimented with my own tokens)

There's profile::phabricator::main::gitlab_api_key in private Hiera which seems likely.

brennen added a comment.Feb 7 2025, 7:14 PM

There's profile::phabricator::main::gitlab_api_key in private Hiera which seems likely.

Yeah, that'll be it. Then once Puppet has dropped that into /etc/phabricator/config.yaml, a Phabricator deploy will copy it to the correct local.json.

I created a new one under gitlab-mentions-bot a bit ago but actually I think this was originally a project-level token for whatever project id 1031 is...

2025-02-07-12:11:29.png (232×467 px, 14 KB)

...repos/phabricator/extensions, according to the API. Makes sense I guess.

thcipriani added a comment.Feb 7 2025, 8:06 PM

Rotated the token. The new on is in:

thcipriani@phab1004:~$ ls -lhA 2025-02-07-T385480.token
-rw------- 1 thcipriani wikidev 269 Feb  7 20:05 2025-02-07-T385480.token

Just need an SRE to update that private heira value with the token.

taavi added a comment.Feb 7 2025, 8:11 PM
In T385480#10532672, @thcipriani wrote:

Just need an SRE to update that private heira value with the token.

{{done}}

thcipriani added a comment.Feb 7 2025, 8:53 PM
In T385480#10532678, @taavi wrote:
In T385480#10532672, @thcipriani wrote:

Just need an SRE to update that private heira value with the token.

{{done}}

<3

I think we just need a config deploy of phab to pick up the new token, then. @brennen whenever you get a chance to do the needful there and then we can close this'n out.

brennen added a comment.Feb 7 2025, 10:13 PM

{{done}} - thanks all. I'll spend some time documenting various GitLab tokens and maybe set up a calendar with reminders.

I suppose at least theoretically, we could have a service that rotates tokens, although they're definitely scattered around a bunch of places...

brennen closed this task as Resolved.Feb 7 2025, 10:13 PM
Stashbot added a comment.Feb 7 2025, 10:14 PM

Mentioned in SAL (#wikimedia-releng) [2025-02-07T22:14:17Z] <brennen> phab/phorge: replaced mr-widget token in deployed config (T385480)

bd808 mentioned this in T385930: Consider disabling personal access token forced expiration.Feb 8 2025, 1:06 AM
Aklapper added a comment.EditedFeb 8 2025, 3:52 PM

Thanks everyone!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits