I would like to run a job which launches poetry-dynamic-versioning and add new version to pyproject.toml and __init__.py.
Is it possible to change source code with CI job?
Yes. This is possible.
You have a couple of options.
Does not work.
deploy tokens only can be used to pull and clone. Only listed here for the sake of completeness.
Does not work, yet.
CI_JOB_TOKEN are great. But as of today you can´t use them to push stuff to a repo. There is an experimental feature you can switch on in self hosted instances with a feature flag. See gitlab docu.
The nice thing about CI_JOB_TOKEN is that you can use it out-of-the box but only from a CI/CD job.
Works on self hosted and paid tiers
You can use access tokens. But they are only available on self hosted and paid gitlab tiers. Also access tokens do expire and have to be renewed.
To use an access token you create the token and give the right permissions. Then store the token in a CI/CD variable. From there you can use it in your CI/CD-Pipelines to push stuff back to the repo.
This is my preferred option on self hosted instances. Only downside is you have to renew the token from time to time.
Does work, but...
A personal access token is like a project access token but the owner of the token will act with the permissions of your user.
Personal access tokens are available on the free gitlab tier. However to use a personal access token in a CI/CD job you have to make it available over a CI/CD variable. You have to take extra care to prevent the value from getting leaked.
Does work on all tiers.
Deploy keys are long supported option to write from CI-jobs to the repo.
Generate a ssh key pair for your CI processes.
ssh-keygen -t ed25519 -C "Key for Gitlab CI" -f gitlab-ci_ed25519
!Do not add a passphrase to the SSH key!
This gives you two files gitlab-ci_ed25519.pub and gitlab-ci_ed25519
Create a deploy key with write access for your repo (also possible on group level). Use the public key from step 1 for it: gitlab-ci_ed25519.pub. Add a newline at the end!
The Deploy Key section can be found under -/settings/repository
Protected Branches. For your use case it may be necessary to allow the deploy key to push to protected branches.
Protected branches can be found under -/settings/repository
Create a variable SSH_PRIVATE_KEY with the private key from step 1: gitlab-ci_ed25519.
The variable section can be found under -/settings/ci_cd
Use variable type 'file'!
Add newline at the end of the private key!
Note: You can add some security to the SSH_PRIVATE_KEY variable by setting it as "protected". If selected, the variable is only available in pipelines that run on protected branches or tags. More info on security can be found here.
Follow this guide and create a .gitlab-ci.yml that uses the deploy key to access the repo.
rule directive to control when to start the job and to prevent an endless loop.