GitLab

class confirm.tools.gitlab.GitLabGuard(private_token, url='https://git.confirm.ch', namespace='confirm')

The GitLabGuard is a Python tool which helps to verify & fix GitLab project settings, protected branches & tags.

While the GitLab guard provides some defaults, projects can override the settings by providing a .gitlab-guard.yml file on the top-level of their repository.

The .gitlab-guard.yml should look like something like this:

---
settings:
  request_access_enabled: True
  visibility: public

protected_branches:
  master:
    merge: 'Developers + Maintainers'
    push: 'Maintainers'

protected_tags:
  '*': 'Maintainers'

Note

Please note there are only 3 top-level keys, namely settings, protected_branches & protected_tags.

To find the appropriate values for the settings, you should have a look at the COMMON_SETTINGS, REPOSITORY_SETTINGS, MERGE_REQUESTS_SETTINGS and CI_SETTINGS values.

Parameters

private_token (str) – The private API token
url (str) – The GitLab URL
namespace (str) – The GitLab namespace

current_project_settings(project_id)

Retreive the current project settings of a GitLab project.

Parameters: project_id (int) – A GitLab project ID
Returns: The current settings
Return type: dict

current_protected_branches(project_id)

Retreive the current protected branches of a GitLab project.

Parameters: project_id (int) – A GitLab project ID
Returns: The current protected branches
Return type: list

current_protected_tags(project_id)

Retreive the current protected tags of a GitLab project.

Parameters: project_id (int) – A GitLab project ID
Returns: The current protected tags
Return type: list

expected_project_settings(project_id)

Retreive the expected project settings of a GitLab project.

The expected project settings are defined by the default settings of the GitLabGuard and the project-specific overrides.

Parameters: project_id (int) – A GitLab project ID
Returns: The expected settings
Return type: dict

expected_protected_branches(project_id)

Retreive the expected protected branches of a GitLab project.

The expected protected branches are defined by the default protected branches of the GitLabGuard and the project-specific overrides.

Parameters: project_id (int) – A GitLab project ID
Returns: The expected protected branches
Return type: dict

expected_protected_tags(project_id)

Retreive the expected protected tags of a GitLab project.

The expected protected tags are defined by the default protected tags of the GitLabGuard and the project-specific overrides.

Parameters: project_id (int) – A GitLab project ID
Returns: The expected protected tags
Return type: dict

project_overrides(project_id)

Retreive the project overrides from the project’s .gitlab-guard.yml file.

The .gitlab-guard.yml is looked up in the default branch of the root level of the project’s repository. It must be a valid YAML file.

Parameters: project_id (int) – A GitLab project ID
Returns: The project overrides
Return type: dict

property projects

Retreive all unarchived GitLab projects.

The projects will be returned ordered by their path and sorted ascending.

Returns: The GitLab projects
Return type: dict

verify(project_ids=None, fix=False)

Verify all GitLab projects.

Parameters

project_ids (list) – The project ID’s
fix (bool) – Fix the settings automatically

Returns

The violations

Return type

list

verify_branches(project_id)

Verify that there are no non-default or unprotected branches.

Parameters: project_id (int) – A GitLab project ID
Returns: The violations
Return type: list

verify_project_settings(project_id, fix=False)

Verify the project settings of a GitLab project.

This method is leveraging the expected_project_settings() and current_project_settings() methods.

Parameters

project_id (int) – A GitLab project ID
fix (bool) – Fix the settings automatically

Returns

The violations

Return type

list

verify_protected_branches(project_id, fix=False)

Verify the protected branches of a GitLab project.

This method is leveraging the expected_protected_branches() and current_protected_branches() methods.

Parameters

project_id (int) – A GitLab project ID
fix (bool) – Fix the settings automatically

Returns

The violations

Return type

list

verify_protected_tags(project_id, fix=False)

Verify the protected tags of a GitLab project.

This method is leveraging the expected_protected_tags() and current_protected_tags() methods.

Parameters

project_id (int) – A GitLab project ID
fix (bool) – Fix the settings automatically

Returns

The violations

Return type

list

confirm.tools.gitlab.URL = 'https://git.confirm.ch': The GitLab URL.

confirm.tools.gitlab.NAMESPACE = 'confirm': The default GitLab namespace.

confirm.tools.gitlab.COMMON_SETTINGS = {'auto_devops_enabled': False, 'emails_disabled': False, 'issues_access_level': 'private', 'request_access_enabled': False, 'service_desk_enabled': True, 'snippets_access_level': 'disabled', 'visibility': 'private', 'wiki_access_level': 'disabled'}: The expected default common settings.

confirm.tools.gitlab.REPOSITORY_SETTINGS = {'builds_access_level': 'private', 'container_registry_enabled': False, 'default_branch': 'master', 'forking_access_level': 'private', 'lfs_enabled': False, 'merge_requests_access_level': 'private', 'packages_enabled': False, 'repository_access_level': 'private', 'repository_storage': 'default'}: The expected default repository settings.

confirm.tools.gitlab.MERGE_REQUESTS_SETTINGS = {'allow_merge_on_skipped_pipeline': False, 'autoclose_referenced_issues': True, 'merge_method': 'ff', 'only_allow_merge_if_all_discussions_are_resolved': True, 'only_allow_merge_if_pipeline_succeeds': True, 'remove_source_branch_after_merge': True, 'resolve_outdated_diff_discussions': True, 'squash_option': 'never', 'suggestion_commit_message': ''}: The expected default merge requests settings.

confirm.tools.gitlab.CI_SETTINGS = {'auto_cancel_pending_pipelines': 'enabled', 'build_timeout': 900, 'ci_config_path': None, 'ci_default_git_depth': 50, 'ci_forward_deployment_enabled': True, 'public_jobs': True, 'shared_runners_enabled': True}: The expected default GitLab CI settings.

confirm.tools.gitlab.PROTECTED_BRANCHES = {'master': {'merge': 'Maintainers', 'push': 'No one'}}: The expected protected branches.

confirm.tools.gitlab.PROTECTED_TAGS = {'*': 'Maintainers'}: The expected protected tags.