gitlabcontinuous-integrationcontinuous-deployment

Cannot understand how to download secure files in GitLab


I have uploaded a file named example.conf to the repository's secure files and want to download that file while running the CI / CD pipeline script. I followed the Project-level Secure Files section in the GitLab documentation, but I still do not understand what the correct path to the file should be.

I tried this:

curl --header "JOB-TOKEN: $CI_JOB_TOKEN" https://gitlab.com/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}/download-secure-files/-/example.conf

Which is incorrect, as I get the response:

<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>

I cannot access that file even if I try to do so through the browser, while the URL provided in the documentation works. I'm unsure what the URL should look like, as using https://gitlab.com/<GROUP_NAME>/<PROJECT_NAME>/download-secure-files/-/<FILE_NAME> doesn't work.

So, how do I access the GitLab secure files from the URL?


Solution

  • Well, I didn't figure out how to do it using the download-secure-files tool, but GitLab provides the API for working with secure files, so I used that instead. My approach includes downloading data about secure files stored in the repository, extracting the filename and ID pairs, and downloading each file.

    1. Download data about secure files stored in this project:
    curl --request GET -H "JOB-TOKEN: $CI_JOB_TOKEN" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/secure_files > secure_files.json
    
    1. Extract file id and name.
    cat secure_files.json | jq '.[] | "\(.id),\(.name)"' | tr -d '"' > files.txt
    
    1. Download file contents.
    while IFS=, read -a line;
    do set -- "${line[@]}";
        curl --request GET --header "JOB-TOKEN: $CI_JOB_TOKEN" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/secure_files/$1/download > $2;
    done < files.txt
    

    This solution only works in bash shell due to the usage of, for example, -a flag in read command. I am not familiar enough with shell scripting to make this any more compatible or efficient.