272 lines
9.8 KiB
Markdown
272 lines
9.8 KiB
Markdown
---
|
|
stage: Verify
|
|
group: Continuous Integration
|
|
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
|
|
type: tutorial
|
|
---
|
|
|
|
# Triggering pipelines through the API
|
|
|
|
Triggers can be used to force a pipeline rerun of a specific `ref` (branch or
|
|
tag) with an API call.
|
|
|
|
## Authentication tokens
|
|
|
|
The following methods of authentication are supported:
|
|
|
|
- [Trigger token](#trigger-token)
|
|
- [CI job token](#ci-job-token)
|
|
|
|
If using the `$CI_PIPELINE_SOURCE` [predefined environment variable](../variables/predefined_variables.md)
|
|
to limit which jobs run in a pipeline, the value could be either `pipeline` or `trigger`,
|
|
depending on which trigger method is used.
|
|
|
|
| `$CI_PIPELINE_SOURCE` value | Trigger method |
|
|
|-----------------------------|----------------|
|
|
| `pipeline` | Using the `trigger:` keyword in the CI/CD configuration file, or using the trigger API with `$CI_JOB_TOKEN`. |
|
|
| `trigger` | Using the trigger API using a generated trigger token |
|
|
|
|
This also applies when using the `pipelines` or `triggers` keywords with the legacy [`only/except` basic syntax](../yaml/README.md#onlyexcept-basic).
|
|
|
|
### Trigger token
|
|
|
|
A unique trigger token can be obtained when [adding a new trigger](#adding-a-new-trigger).
|
|
|
|
DANGER: **Warning:**
|
|
Passing plain text tokens in public projects is a security issue. Potential
|
|
attackers can impersonate the user that exposed their trigger token publicly in
|
|
their `.gitlab-ci.yml` file. Use [variables](../variables/README.md#gitlab-cicd-environment-variables)
|
|
to protect trigger tokens.
|
|
|
|
### CI job token
|
|
|
|
You can use the `CI_JOB_TOKEN` [variable](../variables/README.md#predefined-environment-variables) (used to authenticate
|
|
with the [GitLab Container Registry](../../user/packages/container_registry/index.md)) in the following cases.
|
|
|
|
#### When used with multi-project pipelines
|
|
|
|
> - Use of `CI_JOB_TOKEN` for multi-project pipelines was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/2017) in [GitLab Premium](https://about.gitlab.com/pricing/) 9.3.
|
|
> - Use of `CI_JOB_TOKEN` for multi-project pipelines was [made available](https://gitlab.com/gitlab-org/gitlab/-/issues/31573) in all tiers in GitLab 12.4.
|
|
|
|
This way of triggering can only be used when invoked inside `.gitlab-ci.yml`,
|
|
and it creates a dependent pipeline relation visible on the
|
|
[pipeline graph](../multi_project_pipelines.md). For example:
|
|
|
|
```yaml
|
|
build_docs:
|
|
stage: deploy
|
|
script:
|
|
- curl --request POST --form "token=$CI_JOB_TOKEN" --form ref=master https://gitlab.example.com/api/v4/projects/9/trigger/pipeline
|
|
only:
|
|
- tags
|
|
```
|
|
|
|
Pipelines triggered that way also expose a special variable:
|
|
`CI_PIPELINE_SOURCE=pipeline`.
|
|
|
|
Read more about the [pipelines trigger API](../../api/pipeline_triggers.md).
|
|
|
|
#### When a pipeline depends on the artifacts of another pipeline **(PREMIUM)**
|
|
|
|
> The use of `CI_JOB_TOKEN` in the artifacts download API was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/2346) in [GitLab Premium](https://about.gitlab.com/pricing/) 9.5.
|
|
|
|
With the introduction of dependencies between different projects, one of
|
|
them may need to access artifacts created by a previous one. This process
|
|
must be granted for authorized accesses, and it can be done using the
|
|
`CI_JOB_TOKEN` variable that identifies a specific job. For example:
|
|
|
|
```yaml
|
|
build_submodule:
|
|
image: debian
|
|
stage: test
|
|
script:
|
|
- apt update && apt install -y unzip
|
|
- curl --location --output artifacts.zip "https://gitlab.example.com/api/v4/projects/1/jobs/artifacts/master/download?job=test&job_token=$CI_JOB_TOKEN"
|
|
- unzip artifacts.zip
|
|
only:
|
|
- tags
|
|
```
|
|
|
|
This allows you to use that for multi-project pipelines and download artifacts
|
|
from any project to which you have access as this follows the same principles
|
|
with the [permission model](../../user/permissions.md#job-permissions).
|
|
|
|
Read more about the [jobs API](../../api/job_artifacts.md#download-the-artifacts-archive).
|
|
|
|
## Adding a new trigger
|
|
|
|
Go to your
|
|
**Settings ➔ CI/CD** under **Triggers** to add a new trigger. The **Add trigger** button creates
|
|
a new token which you can then use to trigger a rerun of this
|
|
particular project's pipeline.
|
|
|
|
Every new trigger you create, gets assigned a different token which you can
|
|
then use inside your scripts or `.gitlab-ci.yml`. You also have a nice
|
|
overview of the time the triggers were last used.
|
|
|
|
![Triggers page overview](img/triggers_page.png)
|
|
|
|
## Revoking a trigger
|
|
|
|
You can revoke a trigger any time by going at your project's
|
|
**Settings ➔ CI/CD** under **Triggers** and hitting the **Revoke** button.
|
|
The action is irreversible.
|
|
|
|
## Triggering a pipeline
|
|
|
|
To trigger a job you need to send a `POST` request to GitLab's API endpoint:
|
|
|
|
```plaintext
|
|
POST /projects/:id/trigger/pipeline
|
|
```
|
|
|
|
The required parameters are the [trigger's `token`](#authentication-tokens)
|
|
and the Git `ref` on which the trigger is performed. Valid refs are
|
|
branches or tags. The `:id` of a project can be found by
|
|
[querying the API](../../api/projects.md) or by visiting the **CI/CD**
|
|
settings page which provides self-explanatory examples.
|
|
|
|
When a rerun of a pipeline is triggered, the information is exposed in GitLab's
|
|
UI under the **Jobs** page and the jobs are marked as triggered 'by API'.
|
|
|
|
![Marked rebuilds as on jobs page](img/builds_page.png)
|
|
|
|
You can see which trigger caused the rebuild by visiting the single job page.
|
|
A part of the trigger's token is exposed in the UI as you can see from the image
|
|
below.
|
|
|
|
![Marked rebuilds as triggered on a single job page](img/trigger_single_build.png)
|
|
|
|
By using cURL you can trigger a pipeline rerun with minimal effort, for example:
|
|
|
|
```shell
|
|
curl --request POST \
|
|
--form token=TOKEN \
|
|
--form ref=master \
|
|
https://gitlab.example.com/api/v4/projects/9/trigger/pipeline
|
|
```
|
|
|
|
In this case, the project with ID `9` gets rebuilt on `master` branch.
|
|
|
|
Alternatively, you can pass the `token` and `ref` arguments in the query string:
|
|
|
|
```shell
|
|
curl --request POST \
|
|
"https://gitlab.example.com/api/v4/projects/9/trigger/pipeline?token=TOKEN&ref=master"
|
|
```
|
|
|
|
You can also benefit by using triggers in your `.gitlab-ci.yml`. Let's say that
|
|
you have two projects, A and B, and you want to trigger a rebuild on the `master`
|
|
branch of project B whenever a tag on project A is created. This is the job you
|
|
need to add in project A's `.gitlab-ci.yml`:
|
|
|
|
```yaml
|
|
build_docs:
|
|
stage: deploy
|
|
script:
|
|
- "curl --request POST --form token=TOKEN --form ref=master https://gitlab.example.com/api/v4/projects/9/trigger/pipeline"
|
|
only:
|
|
- tags
|
|
```
|
|
|
|
This means that whenever a new tag is pushed on project A, the job runs and the
|
|
`build_docs` job is executed, triggering a rebuild of project B. The
|
|
`stage: deploy` ensures that this job runs only after all jobs with
|
|
`stage: test` complete successfully.
|
|
|
|
## Triggering a pipeline from a webhook
|
|
|
|
To trigger a job from a webhook of another project you need to add the following
|
|
webhook URL for Push and Tag events (change the project ID, ref and token):
|
|
|
|
```plaintext
|
|
https://gitlab.example.com/api/v4/projects/9/ref/master/trigger/pipeline?token=TOKEN
|
|
```
|
|
|
|
You should pass `ref` as part of the URL, to take precedence over `ref` from
|
|
the webhook body that designates the branch ref that fired the trigger in the
|
|
source repository. Be sure to URL-encode `ref` if it contains slashes.
|
|
|
|
## Making use of trigger variables
|
|
|
|
You can pass any number of arbitrary variables in the trigger API call and they
|
|
are available in GitLab CI/CD so that they can be used in your `.gitlab-ci.yml`
|
|
file. The parameter is of the form:
|
|
|
|
```plaintext
|
|
variables[key]=value
|
|
```
|
|
|
|
This information is also exposed in the UI. Please note that _values_ are only viewable by Owners and Maintainers.
|
|
|
|
![Job variables in UI](img/trigger_variables.png)
|
|
|
|
Using trigger variables can be proven useful for a variety of reasons:
|
|
|
|
- Identifiable jobs. Since the variable is exposed in the UI you can know
|
|
why the rebuild was triggered if you pass a variable that explains the
|
|
purpose.
|
|
- Conditional job processing. You can have conditional jobs that run whenever
|
|
a certain variable is present.
|
|
|
|
Consider the following `.gitlab-ci.yml` where we set three
|
|
[stages](../yaml/README.md#stages) and the `upload_package` job is run only
|
|
when all jobs from the test and build stages pass. When the `UPLOAD_TO_S3`
|
|
variable is non-zero, `make upload` is run.
|
|
|
|
```yaml
|
|
stages:
|
|
- test
|
|
- build
|
|
- package
|
|
|
|
run_tests:
|
|
stage: test
|
|
script:
|
|
- make test
|
|
|
|
build_package:
|
|
stage: build
|
|
script:
|
|
- make build
|
|
|
|
upload_package:
|
|
stage: package
|
|
script:
|
|
- if [ -n "${UPLOAD_TO_S3}" ]; then make upload; fi
|
|
```
|
|
|
|
You can then trigger a rebuild while you pass the `UPLOAD_TO_S3` variable
|
|
and the script of the `upload_package` job is run:
|
|
|
|
```shell
|
|
curl --request POST \
|
|
--form token=TOKEN \
|
|
--form ref=master \
|
|
--form "variables[UPLOAD_TO_S3]=true" \
|
|
https://gitlab.example.com/api/v4/projects/9/trigger/pipeline
|
|
```
|
|
|
|
Trigger variables have the [highest priority](../variables/README.md#priority-of-environment-variables)
|
|
of all types of variables.
|
|
|
|
## Using cron to trigger nightly pipelines
|
|
|
|
Whether you craft a script or just run cURL directly, you can trigger jobs
|
|
in conjunction with cron. The example below triggers a job on the `master`
|
|
branch of project with ID `9` every night at `00:30`:
|
|
|
|
```shell
|
|
30 0 * * * curl --request POST --form token=TOKEN --form ref=master https://gitlab.example.com/api/v4/projects/9/trigger/pipeline
|
|
```
|
|
|
|
This behavior can also be achieved through GitLab's UI with
|
|
[pipeline schedules](../pipelines/schedules.md).
|
|
|
|
## Legacy triggers
|
|
|
|
Old triggers, created before GitLab 9.0 are marked as legacy.
|
|
|
|
Triggers with the legacy label do not have an associated user and only have
|
|
access to the current project. They are considered deprecated and will be
|
|
removed with one of the future versions of GitLab.
|