Using ssh to push the new tags.

[Teles1]

I'm a free user of gitlab.com therefore I don't have access to project/namespace tokens and since I intend on protecting my master branch from being pushed directly I have to resort into deployment tokens.
Steps:

1. I created a ssh key
2. encoded with base64
3. create a file variable with the new encoded base64 string
4. adjusted my pipeline to first decode the base64 string from the file and write the private key to ~/.ssh/id_rsa
5. from the key above generated the pub key
6. changed the remote origin from https:// to git@gitlab.com
7. ran git ls-remote to ensure that the key worked.
8. in my local environment I used the same key above to push to my protected branch and it works like a charm. As well as to create tags

I have a token set for different pipelines and it still throws the error bellow. My assumption is that the code is checking the origin url and looking for that token? In this case, since I'm using ssh it shouldn't require a token should it for the release creation it would make sense to require that but not for creating the tag itself

If my approach is completely wrong how do I approach this problem without having to keep my master branch open

$ npx semantic-release
[1:29:35 PM] [semantic-release] › ℹ  Running semantic-release version 23.1.1
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/changelog"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/changelog"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "success" from "@semantic-release/gitlab"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "success" from "./custom-discord-notifier.js"
[1:29:36 PM] [semantic-release] › ✔  Loaded plugin "fail" from "@semantic-release/gitlab"
[1:29:46 PM] [semantic-release] › ✔  Run automated release from branch next on repository git@gitlab.com:redactedDev/redacted-client-26.git
[1:29:47 PM] [semantic-release] › ✔  Allowed to push to the Git repository
[1:29:47 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/changelog"
[1:29:47 PM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/changelog"
[1:29:47 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  Failed step "verifyConditions" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ℹ  Start step "fail" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  Failed step "fail" of plugin "@semantic-release/gitlab"
[1:29:47 PM] [semantic-release] › ✘  ENOGLTOKEN No GitLab token specified.
A GitLab personal access token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment.
Please make sure to create a GitLab personal access token (https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment. The token must allow to push to the repository git@gitlab.com (mailto:git@gitlab.com):redacted/redacted.git.
[1:29:47 PM] [semantic-release] › ✘  ENOGLTOKEN No GitLab token specified.
A GitLab personal access token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment.
Please make sure to create a GitLab personal access token (https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the GL_TOKEN or GITLAB_TOKEN environment variable on your CI environment. The token must allow to push to the repository git@gitlab.com (mailto:git@gitlab.com):redactedDev/redacted-client-26.git.
AggregateError: 
    SemanticReleaseError: No GitLab token specified.
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/get-error.js:6:10)
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/verify.js:54:17)
        at verifyConditions (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/index.js:11:9)
        at validator (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/normalize.js:36:30)
        at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:38:42
        at next (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/node_modules/p-reduce/index.js:16:10)
    at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
    at async pluginsConfigAccumulator.<computed> [as verifyConditions] (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/index.js:87:11)
    at async run (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/index.js:106:3)
    at async Module.default (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/index.js:278:22)
    at async default (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/cli.js:55:5) {
  errors: [
    SemanticReleaseError: No GitLab token specified.
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/get-error.js:6:10)
        at default (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/lib/verify.js:54:17)
        at verifyConditions (file:///builds/redactedDev/redacted-client-26/node_modules/@semantic-release/gitlab/index.js:11:9)
        at validator (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/normalize.js:36:30)
        at file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/lib/plugins/pipeline.js:38:42
        at next (file:///builds/redactedDev/redacted-client-26/node_modules/semantic-release/node_modules/p-reduce/index.js:16:10) {
      code: 'ENOGLTOKEN',
      details: 'A [GitLab personal access token](https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) must be created and set in the `GL_TOKEN` or `GITLAB_TOKEN` environment variable on your CI environment.\n' +
        '\n' +
        'Please make sure to create a [GitLab personal access token](https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html) and to set it in the `GL_TOKEN` or `GITLAB_TOKEN` environment variable on your CI environment. The token must allow to push to the repository git@gitlab.com:redactedDev/redacted-client-26.git.',
      semanticRelease: true,
      pluginName: '@semantic-release/gitlab'
    }
  ]
}
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit code 1

variables:
  project_name: "${CI_PROJECT_TITLE}"
  SEMANTIC_RELEASE_PACKAGE: "${project_name}"
  GIT_SUBMODULE_STRATEGY: normal
  GIT_DEPTH: 0 # Disable shallow cloning for full history
  GIT_SUBMODULE_DEPTH: 0

stages:
  - semantic_release

semantic_release:
  stage: semantic_release
  image: node:lts
  variables:
    # Define GIT_SSH_COMMAND to use the specified SSH key and settings
    GIT_SSH_COMMAND: "ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new"
  before_script:
    # 1. Create the .ssh directory
    - mkdir -p ~/.ssh
    # 2. Decode the Base64-encoded SSH key and save it to ~/.ssh/id_rsa
    - cat "$DEPLOY_SSH_KEY64" | base64 -d > ~/.ssh/id_rsa
    # 3. Generate .pub from our new private key
    - ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
    # 4. Set the correct permissions for the SSH key
    - chmod 600 ~/.ssh/id_rsa
    # 5. Add GitLab to known_hosts to prevent host verification prompts
    - ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
    # 6. Update the Git remote URL to use SSH instead of HTTPS
    - git remote set-url origin "git@gitlab.com:${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}.git"
    # 7. (Optional) Verify that the remote URL has been updated
    - git remote -v
  script:
    - export GIT_SSH_COMMAND="ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new"
    - npm install semantic-release @semantic-release/changelog @semantic-release/commit-analyzer @semantic-release/gitlab @semantic-release/npm @semantic-release/release-notes-generator conventional-changelog-conventionalcommits axios
    - npx semantic-release
  #dependencies:
  #  - build
  #  - hash_job
  #  - collect_and_symstore_job

[Teles1]

I found a similar issue #377 and the response is unfortunately sad.

Is there any other way that I could do this with an ssh token? Is the gitlab plugin using their api to also create the tags?

[fgreinacher]

This error is only raised when no GitLab token is configured, see https://github.com/semantic-release/gitlab/blob/master/lib/verify.js#L54 and https://github.com/semantic-release/gitlab/blob/master/lib/resolve-config.js#L49

[fgreinacher]

We need API access for multiple features, e.g. creating issue comments, finding related MRs, uploading assets, or creating issues for failed publish operations.

Therefore it does not really make sense to use this plugin without a proper token.

At some point we will hopefully be able to support job tokens, see #156.

[Teles1]

Gotcha. Thanks for getting back to me this quickly btw.
In this case then I'm assuming that my best bet is going full custom then? Is there a way to create tags only using the ssh hack?
I don't realllyyy need the release trigger, I can live without it. What would really suck is not having access to the tags + versioning

[fgreinacher]

The tag is created by semantic-release core, see https://github.com/semantic-release/semantic-release/blob/master/index.js#L208. So it should work if you don't use the gitlab plugin.

[ievgennaida]

@Teles1 I bet you can skip a specific plugin by having two different semantic configurations

[siddjellali]

It would be very useful to have SSH support in the GitLab plugin.
The Git plugin doesn't work with the GL_TOKEN when using SSH, which is why it's important to have the option to use SSH with the GitLab plugin.

semantic-release/git#530 (comment)

[fgreinacher]

It would be very useful to have SSH support in the GitLab plugin. The Git plugin doesn't work with the GL_TOKEN when using SSH, which is why it's important to have the option to use SSH with the GitLab plugin.

semantic-release/git#530 (comment)

As mentioned above at #784 (comment) the GitLab plugin works at the GitLab REST API, which does not accept SSH keys for authentication.

As mentioned above at #784 (comment) the tag creation is done by semantic-release core, so it might work if you do not use the @semantic-release/gitlab plugin. Have you tried that?