feat: fix api endpoint and add optional ssl verification

[mablanco]

Changes

This PR enhances the existing gitlab-set-status Tekton task by fixing the GitLab API endpoint for setting the pipeline status and by adding support for configuring SSL certificate verification through a new parameter SSL_VERIFY which allows users to optionally disable SSL verification when connecting to GitLab instances with self-signed or custom SSL certificates, improving compatibility with custom installations.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Follows the authoring recommendations
• Includes docs (if user facing)
• Includes tests (for new tasks or changed functionality)
  • See the end-to-end testing documentation for guidance and CI details.
• Meets the Tekton contributor standards (including functionality, content, code)
• Commit messages follow commit message best practices
• Has a kind label. You can add one by adding a comment on this PR that
  contains /kind <type>. Valid types are bug, cleanup, design, documentation,
  feature, flake, misc, question, tep
• Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation

  • File path follows <kind>/<name>/<version>/name.yaml

  • Has README.md at <kind>/<name>/<version>/README.md

  • Has mandatory metadata.labels - app.kubernetes.io/version the same as the <version> of the resource

  • Has mandatory metadata.annotations tekton.dev/pipelines.minVersion

  • mandatory spec.description follows the convention

      ```
    
      spec:
        description: >-
          one line summary of the resource
    
          Paragraph(s) to describe the resource.
      ```
    

See the contribution guide for more details.

[linux-foundation-easycla]

• ❌ - login: @mablanco / name: Marco Antonio Blanco . The commit (a29d453, 12a016d) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vinamra28 after the PR has been reviewed.
You can assign the PR to them by writing /assign @vinamra28 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mablanco]

/kind bug

[tekton-robot]

Hi @mablanco. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Diff between version 0.2 and 0.3

diff --git a/task/gitlab-set-status/0.2/README.md b/task/gitlab-set-status/0.3/README.md
index babfa4b..5a74c09 100644
--- a/task/gitlab-set-status/0.2/README.md
+++ b/task/gitlab-set-status/0.3/README.md
@@ -14,7 +14,7 @@ informations about the CI statuses or a direct link to the full log.
 ### Install the Task
 
 ```shell
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-status/0.2/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-status/0.3/raw
 ```
 
 ### Parameters
@@ -35,6 +35,7 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-s
 * **CONTEXT** (string, optional): The GitLab context, A string label to differentiate this status
   from the status of other systems. _e.g:_ `continuous-integration/tekton`
 * **COVERAGE** (string, optional): The total code coverage. Should be a float string.  _default:_ `""`
+* **SSL_VERIFY** (string, optional): Whether to verify SSL certificates. Set to `"false"` to disable verification (useful for self-signed certificates). _default:_ `"true**_*
 
 ## Platforms
 
diff --git a/task/gitlab-set-status/0.2/gitlab-set-status.yaml b/task/gitlab-set-status/0.3/gitlab-set-status.yaml
index 772baab..8a340e1 100644
--- a/task/gitlab-set-status/0.2/gitlab-set-status.yaml
+++ b/task/gitlab-set-status/0.3/gitlab-set-status.yaml
@@ -3,7 +3,7 @@ kind: Task
 metadata:
   name: gitlab-set-status
   labels:
-    app.kubernetes.io/version: "0.2"
+    app.kubernetes.io/version: "0.3"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/categories: Git
@@ -35,9 +35,14 @@ spec:
       default: "/api/v4"
       type: string
 
-    - name: REPO_FULL_NAME
+    - name: REPO_NAME
       description: |
-        The GitLab repository full name, e.g.: tektoncd/catalog
+        The GitLab repository name, e.g.: catalog
+      type: string
+
+    - name: REPO_GROUP_PATH
+      description: |
+        The GitLab repository full group path, e.g.: tektoncd/hub
       type: string
 
     - name: GITLAB_TOKEN_SECRET_NAME
@@ -88,6 +93,12 @@ spec:
       type: string
       default: ""
 
+    - name: SSL_VERIFY
+      description: |
+        Whether to verify SSL certificates. Set to false to disable SSL verification (useful for self-signed certificates).
+      default: "true"
+      type: string
+
   steps:
     - name: set-status
       image: registry.access.redhat.com/ubi8/python-38@sha256:af6f93b81f9313de95966e8cd681edb9dbcb5fdbddc5a4cc365af8e4534096ef
@@ -99,25 +110,28 @@ spec:
         import sys
         import json
         import http.client
+        import ssl
         import urllib.parse
 
         GITLAB_TOKEN = os.getenv("GITLAB_TOKEN")
         GITLAB_HOST_URL = "$(params.GITLAB_HOST_URL)"
         API_PATH_PREFIX = "$(params.API_PATH_PREFIX)"
-        REPO_FULL_NAME = "$(params.REPO_FULL_NAME)"
+        REPO_NAME = "$(params.REPO_NAME)"
+        REPO_GROUP_PATH = "$(params.REPO_GROUP_PATH)"
         SHA = "$(params.SHA)"
         STATE = "$(params.STATE)"
         CONTEXT = "$(params.CONTEXT)"
         TARGET_URL = "$(params.TARGET_URL)"
         DESCRIPTION = "$(params.DESCRIPTION)"
         COVERAGE = "$(params.COVERAGE)"
+        SSL_VERIFY = "$(params.SSL_VERIFY)".lower() == "true"
 
         headers = {
             "User-Agent": "TektonCD, the peaceful cat",
             "Authorization": f"Bearer {GITLAB_TOKEN}",
         }
 
-        URLENCODED_REPO_NAME = urllib.parse.quote(REPO_FULL_NAME, safe="")
+        URLENCODED_REPO_NAME = urllib.parse.quote(REPO_NAME, safe="")
 
         params = {
             "state": STATE,
@@ -126,24 +140,34 @@ spec:
             "description": DESCRIPTION
         }
 
-        if COVERAGE:
-            params["coverage"] = float(COVERAGE)
-
-        encoded_params = urllib.parse.urlencode(params)
-
-        api_url = f"{API_PATH_PREFIX}/projects/{URLENCODED_REPO_NAME}/statuses/{SHA}?{encoded_params}"
-
-        print(f"POST to {GITLAB_HOST_URL}{api_url}")
+        ssl_context = None if SSL_VERIFY else ssl._create_unverified_context()
 
         if GITLAB_HOST_URL.startswith("http://"):
             conn = http.client.HTTPConnection(GITLAB_HOST_URL[7:])
         elif GITLAB_HOST_URL.startswith("https://"):
-            conn = http.client.HTTPSConnection(GITLAB_HOST_URL[8:])
+            conn = http.client.HTTPSConnection(GITLAB_HOST_URL[8:], context=ssl_context)
         else:
-            conn = http.client.HTTPSConnection(GITLAB_HOST_URL)
-        try:
-            conn.request("POST", api_url, headers=headers)
+            conn = http.client.HTTPSConnection(GITLAB_HOST_URL, context=ssl_context)
 
+        try:
+            project_api_url = f"{API_PATH_PREFIX}/projects?search={URLENCODED_REPO_NAME}"
+            conn.request("GET", project_api_url, headers=headers)
+            resp = conn.getresponse()
+            if not str(resp.status).startswith("2"):
+                print(f"{resp.status} | Unable to get project id")
+                response_data = json.dumps(json.loads(resp.read()), indent=4)
+                print(response_data)
+                sys.exit(1)
+            else:
+                response_data = json.loads(resp.read())
+                target_path = f"{REPO_GROUP_PATH}/{URLENCODED_REPO_NAME}"
+                project_id = next((item["id"] for item in response_data if item["path_with_namespace"] == target_path), None)
+                print(f"Project ID of {REPO_GROUP_PATH}/{URLENCODED_REPO_NAME} is {project_id}")
+
+            encoded_params = urllib.parse.urlencode(params)
+            status_api_url = f"{API_PATH_PREFIX}/projects/{project_id}/statuses/{SHA}?{encoded_params}"
+            print(f"POST to {GITLAB_HOST_URL}{status_api_url}")
+            conn.request("POST", status_api_url, headers=headers)
             resp = conn.getresponse()
             if not str(resp.status).startswith("2"):
                 print(f"{resp.status} | Unable to set status")
@@ -151,7 +175,7 @@ spec:
                 print(response_data)
                 sys.exit(1)
             else:
-                print(f"Just set status of {REPO_FULL_NAME}#{SHA} to {STATE}")
+                print(f"Just set status of {REPO_GROUP_PATH}/{URLENCODED_REPO_NAME}#{SHA} to {STATE}")
         finally:
             conn.close()
 
diff --git a/task/gitlab-set-status/0.2/tests/fixtures/gitlab-set-status.yaml b/task/gitlab-set-status/0.3/tests/fixtures/gitlab-set-status.yaml
index 6e75a71..e4cedde 100644
--- a/task/gitlab-set-status/0.2/tests/fixtures/gitlab-set-status.yaml
+++ b/task/gitlab-set-status/0.3/tests/fixtures/gitlab-set-status.yaml
@@ -1,11 +1,11 @@
 ---
 headers:
   method: POST
-  path: /api/v4/projects/{repo:.+}/statuses/{[^/]+}
+  path: /api/v4/projects/{project_id:[0-9]+}/statuses/{[^/]+}
 response:
   status: 201
   output: |
     {
       "some": "data"
     }
-  content-type: application/json
\ No newline at end of file
+  content-type: application/json
diff --git a/task/gitlab-set-status/0.2/tests/pre-apply-task-hook.sh b/task/gitlab-set-status/0.3/tests/pre-apply-task-hook.sh
index 96d386d..3fe57b8 100644
--- a/task/gitlab-set-status/0.2/tests/pre-apply-task-hook.sh
+++ b/task/gitlab-set-status/0.3/tests/pre-apply-task-hook.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-kubectl -n ${tns} create secret generic gitlab-secret --from-literal token="secret"
\ No newline at end of file
+kubectl -n ${tns} create secret generic gitlab-secret --from-literal token="secret"
diff --git a/task/gitlab-set-status/0.2/tests/run.yaml b/task/gitlab-set-status/0.3/tests/run.yaml
index f2dd431..7dda0a8 100644
--- a/task/gitlab-set-status/0.2/tests/run.yaml
+++ b/task/gitlab-set-status/0.3/tests/run.yaml
@@ -27,3 +27,5 @@ spec:
             value: gitlab-secret
           - name: GITLAB_TOKEN_SECRET_KEY
             value: token
+          - name: SSL_VERIFY
+            value: "true"

[tekton-robot]

Catlin Output

FILE: task/gitlab-set-status/0.3/gitlab-set-status.yaml
WARN : Step "set-status" uses image "registry.access.redhat.com/ubi8/python-38@sha256:af6f93b81f9313de95966e8cd681edb9dbcb5fdbddc5a4cc365af8e4534096ef"; consider using a image tagged with specific version along with digest eg. abc.io/img:v1@sha256:abcde

Catlin script lint Output

WARN : step: gitlab-set-status is not using #!/usr/bin/env 
ERROR: /usr/bin/pylint, [-dC0103] failed:
************* Module catlin-script-linter4290277335
gitlab-set-status-set-status:59:0: C0301: Line too long (117/100) (line-too-long)
gitlab-set-status-set-status:38:38: W0212: Access to a protected member _create_unverified_context of a client class (protected-access)

-----------------------------------
Your code has been rated at 9.62/10

[tekton-robot]

Diff between version 0.2 and 0.3

diff --git a/task/gitlab-set-status/0.2/README.md b/task/gitlab-set-status/0.3/README.md
index babfa4b..5a74c09 100644
--- a/task/gitlab-set-status/0.2/README.md
+++ b/task/gitlab-set-status/0.3/README.md
@@ -14,7 +14,7 @@ informations about the CI statuses or a direct link to the full log.
 ### Install the Task
 
 ```shell
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-status/0.2/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-status/0.3/raw
 ```
 
 ### Parameters
@@ -35,6 +35,7 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/gitlab-set-s
 * **CONTEXT** (string, optional): The GitLab context, A string label to differentiate this status
   from the status of other systems. _e.g:_ `continuous-integration/tekton`
 * **COVERAGE** (string, optional): The total code coverage. Should be a float string.  _default:_ `""`
+* **SSL_VERIFY** (string, optional): Whether to verify SSL certificates. Set to `"false"` to disable verification (useful for self-signed certificates). _default:_ `"true**_*
 
 ## Platforms
 
diff --git a/task/gitlab-set-status/0.2/gitlab-set-status.yaml b/task/gitlab-set-status/0.3/gitlab-set-status.yaml
index 772baab..11ae74f 100644
--- a/task/gitlab-set-status/0.2/gitlab-set-status.yaml
+++ b/task/gitlab-set-status/0.3/gitlab-set-status.yaml
@@ -3,7 +3,7 @@ kind: Task
 metadata:
   name: gitlab-set-status
   labels:
-    app.kubernetes.io/version: "0.2"
+    app.kubernetes.io/version: "0.3"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/categories: Git
@@ -35,9 +35,14 @@ spec:
       default: "/api/v4"
       type: string
 
-    - name: REPO_FULL_NAME
+    - name: REPO_NAME
       description: |
-        The GitLab repository full name, e.g.: tektoncd/catalog
+        The GitLab repository name, e.g.: catalog
+      type: string
+
+    - name: REPO_GROUP_PATH
+      description: |
+        The GitLab repository full group path, e.g.: tektoncd/hub
       type: string
 
     - name: GITLAB_TOKEN_SECRET_NAME
@@ -88,6 +93,12 @@ spec:
       type: string
       default: ""
 
+    - name: SSL_VERIFY
+      description: |
+        Whether to verify SSL certificates. Set to false to disable SSL verification (useful for self-signed certificates).
+      default: "true"
+      type: string
+
   steps:
     - name: set-status
       image: registry.access.redhat.com/ubi8/python-38@sha256:af6f93b81f9313de95966e8cd681edb9dbcb5fdbddc5a4cc365af8e4534096ef
@@ -99,25 +110,28 @@ spec:
         import sys
         import json
         import http.client
+        import ssl
         import urllib.parse
 
         GITLAB_TOKEN = os.getenv("GITLAB_TOKEN")
         GITLAB_HOST_URL = "$(params.GITLAB_HOST_URL)"
         API_PATH_PREFIX = "$(params.API_PATH_PREFIX)"
-        REPO_FULL_NAME = "$(params.REPO_FULL_NAME)"
+        REPO_NAME = "$(params.REPO_NAME)"
+        REPO_GROUP_PATH = "$(params.REPO_GROUP_PATH)"
         SHA = "$(params.SHA)"
         STATE = "$(params.STATE)"
         CONTEXT = "$(params.CONTEXT)"
         TARGET_URL = "$(params.TARGET_URL)"
         DESCRIPTION = "$(params.DESCRIPTION)"
         COVERAGE = "$(params.COVERAGE)"
+        SSL_VERIFY = "$(params.SSL_VERIFY)".lower() == "true"
 
         headers = {
             "User-Agent": "TektonCD, the peaceful cat",
             "Authorization": f"Bearer {GITLAB_TOKEN}",
         }
 
-        URLENCODED_REPO_NAME = urllib.parse.quote(REPO_FULL_NAME, safe="")
+        URLENCODED_REPO_NAME = urllib.parse.quote(REPO_NAME, safe="")
 
         params = {
             "state": STATE,
@@ -129,21 +143,34 @@ spec:
         if COVERAGE:
             params["coverage"] = float(COVERAGE)
 
-        encoded_params = urllib.parse.urlencode(params)
-
-        api_url = f"{API_PATH_PREFIX}/projects/{URLENCODED_REPO_NAME}/statuses/{SHA}?{encoded_params}"
-
-        print(f"POST to {GITLAB_HOST_URL}{api_url}")
+        ssl_context = None if SSL_VERIFY else ssl._create_unverified_context()
 
         if GITLAB_HOST_URL.startswith("http://"):
             conn = http.client.HTTPConnection(GITLAB_HOST_URL[7:])
         elif GITLAB_HOST_URL.startswith("https://"):
-            conn = http.client.HTTPSConnection(GITLAB_HOST_URL[8:])
+            conn = http.client.HTTPSConnection(GITLAB_HOST_URL[8:], context=ssl_context)
         else:
-            conn = http.client.HTTPSConnection(GITLAB_HOST_URL)
-        try:
-            conn.request("POST", api_url, headers=headers)
+            conn = http.client.HTTPSConnection(GITLAB_HOST_URL, context=ssl_context)
 
+        try:
+            project_api_url = f"{API_PATH_PREFIX}/projects?search={URLENCODED_REPO_NAME}"
+            conn.request("GET", project_api_url, headers=headers)
+            resp = conn.getresponse()
+            if not str(resp.status).startswith("2"):
+                print(f"{resp.status} | Unable to get project id")
+                response_data = json.dumps(json.loads(resp.read()), indent=4)
+                print(response_data)
+                sys.exit(1)
+            else:
+                response_data = json.loads(resp.read())
+                target_path = f"{REPO_GROUP_PATH}/{URLENCODED_REPO_NAME}"
+                project_id = next((item["id"] for item in response_data if item["path_with_namespace"] == target_path), None)
+                print(f"Project ID of {REPO_GROUP_PATH}/{URLENCODED_REPO_NAME} is {project_id}")
+
+            encoded_params = urllib.parse.urlencode(params)
+            status_api_url = f"{API_PATH_PREFIX}/projects/{project_id}/statuses/{SHA}?{encoded_params}"
+            print(f"POST to {GITLAB_HOST_URL}{status_api_url}")
+            conn.request("POST", status_api_url, headers=headers)
             resp = conn.getresponse()
             if not str(resp.status).startswith("2"):
                 print(f"{resp.status} | Unable to set status")
@@ -151,7 +178,7 @@ spec:
                 print(response_data)
                 sys.exit(1)
             else:
-                print(f"Just set status of {REPO_FULL_NAME}#{SHA} to {STATE}")
+                print(f"Just set status of {REPO_GROUP_PATH}/{URLENCODED_REPO_NAME}#{SHA} to {STATE}")
         finally:
             conn.close()
 
diff --git a/task/gitlab-set-status/0.2/tests/fixtures/gitlab-set-status.yaml b/task/gitlab-set-status/0.3/tests/fixtures/gitlab-set-status.yaml
index 6e75a71..e4cedde 100644
--- a/task/gitlab-set-status/0.2/tests/fixtures/gitlab-set-status.yaml
+++ b/task/gitlab-set-status/0.3/tests/fixtures/gitlab-set-status.yaml
@@ -1,11 +1,11 @@
 ---
 headers:
   method: POST
-  path: /api/v4/projects/{repo:.+}/statuses/{[^/]+}
+  path: /api/v4/projects/{project_id:[0-9]+}/statuses/{[^/]+}
 response:
   status: 201
   output: |
     {
       "some": "data"
     }
-  content-type: application/json
\ No newline at end of file
+  content-type: application/json
diff --git a/task/gitlab-set-status/0.2/tests/pre-apply-task-hook.sh b/task/gitlab-set-status/0.3/tests/pre-apply-task-hook.sh
index 96d386d..3fe57b8 100644
--- a/task/gitlab-set-status/0.2/tests/pre-apply-task-hook.sh
+++ b/task/gitlab-set-status/0.3/tests/pre-apply-task-hook.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-kubectl -n ${tns} create secret generic gitlab-secret --from-literal token="secret"
\ No newline at end of file
+kubectl -n ${tns} create secret generic gitlab-secret --from-literal token="secret"
diff --git a/task/gitlab-set-status/0.2/tests/run.yaml b/task/gitlab-set-status/0.3/tests/run.yaml
index f2dd431..7dda0a8 100644
--- a/task/gitlab-set-status/0.2/tests/run.yaml
+++ b/task/gitlab-set-status/0.3/tests/run.yaml
@@ -27,3 +27,5 @@ spec:
             value: gitlab-secret
           - name: GITLAB_TOKEN_SECRET_KEY
             value: token
+          - name: SSL_VERIFY
+            value: "true"

[tekton-robot]

The following Tekton test failed:

Test name	Commit	Details	Required	Rerun command
pull-catalog-catlin-lint	12a016d	link	true	/test pull-catalog-catlin-lint

[tekton-robot]

Catlin Output

FILE: task/gitlab-set-status/0.3/gitlab-set-status.yaml
WARN : Step "set-status" uses image "registry.access.redhat.com/ubi8/python-38@sha256:af6f93b81f9313de95966e8cd681edb9dbcb5fdbddc5a4cc365af8e4534096ef"; consider using a image tagged with specific version along with digest eg. abc.io/img:v1@sha256:abcde

Catlin script lint Output

WARN : step: gitlab-set-status is not using #!/usr/bin/env 
ERROR: /usr/bin/pylint, [-dC0103] failed:
************* Module catlin-script-linter537285432
gitlab-set-status-set-status:62:0: C0301: Line too long (117/100) (line-too-long)
gitlab-set-status-set-status:41:38: W0212: Access to a protected member _create_unverified_context of a client class (protected-access)

-----------------------------------
Your code has been rated at 9.63/10