Work with a Merge Request in GitLab CI/CD Pipeline

I started out writing a naive bot in GitLab CI/CD pipeline that would provide informational feedback about a merge request (MR) in the MR. Since this was my first attempt writing such a thing, I kept the scope limited and simple yet effective.

The basic scope of the bot was,

• Run the bot in the context of an MR (see Rules below)
• Work only with one MR, the one running the pipeline
• Use GitLab REST APIs to read from the MR and write to it
• Use bash, curl, git, and jq. I could have used Python or Go but this was a naive bot so I couldn't make it simpler than this.

In this post I will not provide the code. Instead, I will provide enough information for anyone to get started writing their own bot.

Predefined Variables

GitLab pipelines provide a lot of predefined variables. I highly enocurage you to review the list and make use of them. I found through experience that a lot of the features I expected to be available in the REST APIs, or would have to write git commands for, were available as data in the form of predefined variables.

The variables I used were,

• CI_API_V4_URL
• CI_MERGE_REQUEST_DIFF_BASE_SHA
• CI_MERGE_REQUEST_IID
• CI_PROJECT_ID

For example, the base URL I created to work with MRs looked like,

"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}"

API Endpoints

Since this post is about working with MRs, I only used the Merge requests API endpoints. They were,

• /merge_requests/${CI_MERGE_REQUEST_IID}
• /merge_requests/${CI_MERGE_REQUEST_IID}/diffs
• /merge_requests/${CI_MERGE_REQUEST_IID}/discussions
• /merge_requests/${CI_MERGE_REQUEST_IID}/notes

diffs

I wanted to use the /diffs endpoint as it gives structured data about the diff in the MR. One thing I was looking for was the names of files that were changed in the MR and this endpoint gave me exactly what I needed.

$ curl -X GET "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/diffs" | jq '.[] | select(.new_path=="SOME-FILE-NAME") | .diff' | wc -w

One version of the bot I wrote used git to give me the list of files that had changed. The easiest way to do that in the pipeline was to use the predefined variable CI_MERGE_REQUEST_DIFF_BASE_SHA,

$ git diff --name-only "${CI_MERGE_REQUEST_DIFF_BASE_SHA}"

discussions and notes

These are related but different. To start a new thread in the MR, use /discussions. To delete it, use /notes. To list all comments (including threads), use /notes.

$ curl -X POST --header 'Content-Type: application/json' --data '{"body": "YOUR TEXT FOR THREAD/COMMENT"}' "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/discussions"

$ curl -X GET "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes" | jq '.[] | select(.type=="DiscussionNote" and .body=="YOUR TEXT FOR THREAD/COMMENT" and .resolved==false) | .id'

$ curl -X DELETE "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes/:id"

labels

I also added and removed labels. Use Update MR for that use case.

$ curl -X PUT --header 'Content-Type: application/x-www-form-urlencode' --data 'add_labels=YOUR-LABEL' "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}"

Authentication

This was the most interesting part. When a pipeline is running it gets a predefined variable called CI_JOB_TOKEN. This token can be used to authenticate to GitLab REST APIs. However, it has a drawback because GitLab doesn't allow access to all REST API endpoints with this authentication method. Sadly, it doesn't support merge request API endpoints.

There are three other options available,

• Personal access token
• Project access token
• Group access token

As the names suggest, these access tokens have differing scopes but provide the same ability: authenticate to GitLab and use REST APIs. They all support merge request API endpoints.

Since I was writing a shared pipeline, I didn't want to use my personal access token. I didn't have enough permissions in the GitLab group to create group access token. That left me with project access token because I was a maintainer on the project and had access to create it.

I created the token and injected it into the pipeline using a CI/CD variable. The variable was called GITLAB_TOKEN, following the convention used by glab (Authenticate with GitLab).

To authenticate I used a header with curl everytime,

$ curl --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" # ... rest of the command

Rules

I wanted to run the stage only in MRs. The rules section in .gitlab-ci.yml had the following rule,

rules:
  - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'