我们在 GitHub 上托管一些存储库,在 GitLab 上托管其他一些。
有时,软件包已发布,但源代码未发布。
我们总是在README.md.
有没有办法让 GitLab 上的构建和覆盖徽章始终可供匿名访问?
2 回答
2
自Gitlab 11.4.8 版以来,无法再通过个人访问令牌公开项目的徽章。由于更改“将个人访问令牌限制在 Web 请求的 API 范围内”。
删除此“解决方法”的提交已作为安全修复发布
目前正在讨论一个正在进行的问题以找到另一个解决方案。让我们看看情况如何。
于 2018-12-13T11:18:20.243 回答
2
That was followed by issue 13324
It includes:
FYI, I have a workaround for this using the GitLab API.
It assumes you have created a token in GitLab for a user (Note: That "user" needn't necessarily be Human - my use case is to display a badge on a dashboard hosted on a different VM).
<img src="https://<gitlab-uri>/<namespace>/<project>/badges/<branch>/build.svg?private_token=<token>
Update Dec. 2018: This is no loger possible through a token (see Paul B.'s answer).
This is because of "Improper Enforcement of Token Scope":
The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope.
The issue is now mitigated in the latest release and is assigned CVE-2018-19569.
But...:
Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users.
For instructions on how to do so through the API, please see our support issue.
And you also have a current workaround which repeats the API access:
It is possible to add the project avatar to the project repository with a particular filename (logo) and then this file will be used for the avatar. There is an example here:
https://gitlab.com/issue-reproduce/project-avatar-repo
You'll be able to retrieve the files through the Repository Files API:
https://docs.gitlab.com/ee/api/repository_files.html#get-file-from-repository
Example:
https://gitlab.com/api/v4/projects/issue-reproduce%2Fproject-avatar-repo/repository/files/logo.png?ref=master
于 2018-06-16T04:42:36.863 回答