feat: add CI/CD variable tools for project and group scope#479
feat: add CI/CD variable tools for project and group scope#479babyhuey wants to merge 3 commits into
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b4a8592569
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
zereight
left a comment
zereight
left a comment
There was a problem hiding this comment.
Thanks for the CI/CD variables toolset — the project-side API wiring, opt-in variables toolset, read-only/destructive registration, and test/test-ci-variables.ts in test:mock look solid.
I'm requesting changes before merge:
1. Rebase onto current main (blocking)
This PR branch is stacked on the dependency-proxy work (#474) and is CONFLICTING with main (which now includes #466). The diff bundles dependency-proxy files, design spec, and resolveGroupFullPath — not just the 7 files from b4a8592. Please rebase onto current main and submit a PR that contains only the CI variables changes (or land #474 first, then rebase).
2. npm run build fails on current head (blocking)
Head b4a8592 fails with TS18046: 'data' is of type 'unknown' in resolveGroupFullPath (from bundled #474 code). CI is also action_required (fork PR). Please ensure npm run build passes after rebase.
3. Group variables: missing filter[environment_scope] (P1)
Project endpoints support filter.environment_scope for get/update/delete/list — good. Group endpoints do not (GetGroupVariableSchema, UpdateGroupVariableSchema, DeleteGroupVariableSchema, ListGroupVariablesSchema). GitLab group variables can share the same key across scopes; without the filter, get/update/delete can hit the wrong variable or fail ambiguously. Please mirror the project-side filter pattern for group tools.
Non-blocking follow-ups:
- Add the 10 new tools to the README
<!-- TOOLS-START -->list. - Consider guarding
create_group_variable/update_group_variable/delete_group_variablewhenGITLAB_PROJECT_IDorGITLAB_ALLOWED_PROJECT_IDSis set (same boundary ascreate_groupon main). - Add a mock test for
filter[environment_scope]on project get/update/delete (called out as not tested in the commit message).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6fb8ee19cf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| protected: z.boolean().optional(), | ||
| masked: z.boolean().optional(), | ||
| raw: z.boolean().optional(), | ||
| environment_scope: z.string().optional(), | ||
| description: z.string().nullable().optional(), |
There was a problem hiding this comment.
For GitLab 17.4+ project and group CI/CD variables, hidden is returned by list/get responses and masked_and_hidden is a create-time option. Because the shared variable schema omits these fields, get_*_variable/create responses strip the hidden state and callers cannot create variables with the non-revealable masked_and_hidden setting through these new tools, which is a security-relevant part of the variables API.
Useful? React with 👍 / 👎.
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
2 times, most recently
from
936e5ca to
6fb8ee1
Compare
|
All feedback addressed in this update: Rebased — PR now contains only CI/CD variable changes (dep proxy code was never part of this PR; just an artifact of the branch being cut before #474 landed). Build passes cleanly.
README — tools 157–166 added to the Project-scoped deployment guard — All 15 CI variable tests pass. |
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
from
6fb8ee1 to
9f08121
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9f081210f2
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| filter: z | ||
| .object({ environment_scope: z.string() }) | ||
| .optional() | ||
| .describe("Filter by environment scope (e.g. '*', 'production')"), |
There was a problem hiding this comment.
GitLab's list variable endpoints document only the group/project id plus pagination parameters; filter[environment_scope] is documented for retrieve/update/delete when duplicate keys need disambiguation, not for listing (see the official project/group variable API docs). With this schema, callers can request filter.environment_scope on list_project_variables and receive an unfiltered page while believing only that scope was returned, which can drive follow-up automation against the wrong variables. Remove this input or implement explicit client-side filtering on environment_scope.
Useful? React with 👍 / 👎.
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
from
81ae2dc to
8c149c2
Compare
|
Thanks for addressing the earlier feedback on group The PR is still merge-conflicting with Once that's done, I'll re-review the updated head. No need to change anything else for the conflict fix unless CI fails after the rebase. |
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
from
8c149c2 to
2b1de3e
Compare
|
Rebased onto current |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2b1de3ef75
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| filter: z | ||
| .object({ environment_scope: z.string() }) | ||
| .optional() | ||
| .describe("Filter by environment scope (e.g. '*', 'production')"), |
There was a problem hiding this comment.
list_group_variables advertises a filter.environment_scope input, but GitLab’s group-variable list endpoint only supports id, page, and per_page; filter is only defined for get/update/delete by key. In practice this means callers can pass a scope filter, receive an unfiltered list, and then run follow-up automation against the wrong variables while assuming the filter was enforced.
Useful? React with 👍 / 👎.
|
Verified locally against the same steps CI runs:
|
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
from
2b1de3e to
e099a51
Compare
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
|
Rebased again. Fourth time now. The conflict is the same every single time: a new test file lands on |
Adds 10 new MCP tools covering full CRUD for CI/CD variables at both project and group level, packaged as a new non-default `variables` toolset activated via discover_tools. New tools: list_project_variables, get_project_variable, create_project_variable, update_project_variable, delete_project_variable, list_group_variables, get_group_variable, create_group_variable, update_group_variable, delete_group_variable. Supports filter[environment_scope] on project endpoints to disambiguate variables that share the same key across environments. List endpoints include pagination (page/per_page) consistent with other list tools. Confidence: high Scope-risk: narrow Not-tested: filter[environment_scope] interaction with pagination on large variable sets
…pe guards - Tests verify filter[environment_scope] query param is forwarded for get/update/delete project variable endpoints - Adds 10 new tools (157-166) to README TOOLS list - Guards create/update/delete group variable with rejectIfProjectScopedDeployment, consistent with create_group
Add rejectIfProjectScopedDeployment to list_group_variables and get_group_variable so a project-locked server cannot read arbitrary group secrets. Replace unsafe `data as GitLabCiVariable[]` casts with z.array(GitLabCiVariableSchema).parse(data) for consistent validation.
babyhuey
force-pushed
the
feat/ci-cd-variables
branch
from
e099a51 to
986dc80
Compare
2 participants
Closes #478
Summary
variablestoolset, activated viadiscover_toolsfilter[environment_scope]on project endpoints to disambiguate variables sharing a key across environmentspage/per_page) on list endpoints, consistent withlist_labelsreadOnlyTools; delete tools indestructiveToolsNew tools
list_project_variablesGET /projects/:id/variablesget_project_variableGET /projects/:id/variables/:keycreate_project_variablePOST /projects/:id/variablesupdate_project_variablePUT /projects/:id/variables/:keydelete_project_variableDELETE /projects/:id/variables/:keylist_group_variablesGET /groups/:id/variablesget_group_variableGET /groups/:id/variables/:keycreate_group_variablePOST /groups/:id/variablesupdate_group_variablePUT /groups/:id/variables/:keydelete_group_variableDELETE /groups/:id/variables/:keyGitLab API reference
Test plan
test/test-ci-variables.tscovering all 10 toolsvariablestoolset absent from defaulttools/listresponseTOOLSET_TOOL_COUNTSandNON_DEFAULT_TOOLSETSupdated intest-toolset-filtering.tsnpm run test:mock)npx tsc --noEmitclean