1.2. 选项 2：使用 CLI 将 secret 和变量添加到 GitLab CI

流程

1. 在首选文本编辑器中使用两个文件创建项目，如 Visual Studio Code：

   • env_vars.sh
   • glab-set-vars

2. 使用以下环境变量更新 env_vars.sh 文件：

   # env_vars.sh
   # GitLab credentials
   export MY_GITLAB_TOKEN="your_gitlab_token_here"
   export MY_GITLAB_USER="your_gitlab_username_here"
   
   export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here"
   export GITOPS_AUTH_USERNAME="your_OpenShift_GitOps_username_here"
   
   
   
   // Add credentials for an image repository that you use
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # or JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # or Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
   
   // Set these variables if your CI provider runners do not run
   on the same cluster as the {ProductShortName} instance.
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

3. 使用以下信息更新 glab-set-vars 文件：

   #!/bin/bash
   SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
   
   if [ $# -ne 1 ]; then
       echo "Missing param, provide gitlab repo name"
       echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars"
       exit
   fi
   
   REPO=$1
   HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN"
   URL=https://gitlab.com/api/v4/projects
   
   # Lookup the project id so we can use it below
   PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F${REPO//.git/}" | jq ".id")
   
   function setVars() {
       NAME=$1
       VALUE=$2
       MASKED=${3:-true}
       echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO"
   
       # Delete first because if the secret already exists then its value
       # won't be changed by the POST below
       curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"
   
       # Set the new key/value
       curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
           --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
   }
   
   setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false
   setVars ROX_API_TOKEN $ROX_API_TOKEN
   
   setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
   setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false
   
   # Depending on which image repository you use, set:
   setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false
   setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
   # or
   setVars ARTIFACTORY_IO_CREDS_USR "$ARTIFACTORY_IO_CREDS_USR" false
   setVars ARTIFACTORY_IO_CREDS_PSW "$ARTIFACTORY_IO_CREDS_PSW"
   # or
   setVars NEXUS_IO_CREDS_USR "$NEXUS_IO_CREDS_USR" false
   setVars NEXUS_IO_CREDS_PSW "$NEXUS_IO_CREDS_PSW"
   
   setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
   setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
   setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false
   
   setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false
   setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false
   setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false
   setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false
   
   # If you need to use the Rekor and TUF variables and you've added them
   # to env_vars.sh, set them here too:
   
   setVars REKOR_HOST "$REKOR_HOST" false
   setVars TUF_MIRROR "$TUF_MIRROR" false
   
   bash $SCRIPTDIR/glab-get-vars $1

   注意

   默认情况下，setVars 函数会创建一个变量作为 secret，此变量的值不会在 UI 和日志中显示。要创建未屏蔽的变量，请在设置它的行末尾添加 false。例如：

   setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

4. 将环境变量加载到当前 shell 会话中：

   source env_vars.sh

5. 使 glab-set-vars 脚本可执行，并使用您的存储库名称运行它，以在 GitLab 存储库中设置变量。

   chmod +x glab-set-vars
   
   ./glab-set-vars your_repository_name

6. 重新运行最后的管道运行，以验证 secret 是否已正确应用。

   1. 或者，切换到 GitLab 中应用的源存储库，进行次要更改，并提交它以触发新的管道运行。