Romain Baumier (0bd23b5c) at 16 Mar 16:26
refactor(frontend): DRY cleanup — composables, shared components, u...
... and 55 more commits
François-Guillaume Ribreau (b41109a5) at 16 Mar 12:47
:rotating_light::rotating_light::rotating_light: Variables to add in gitlab CI: :rotating_light::rotating_light:
| Variable | Description | Scope |
|----------------------|-------------------------------------------------------|----------------------------|
| 🆗 GITLAB_RELEASE_TOKEN | Personal access token avec scope write_repository | Toutes les releases |
| 🆗 NPM_TOKEN | Token npm automation pour publier sur npmjs.org | SDK release |
| 🆗 CARGO_TOKEN | Token API crates.io | SDK release |
| 🆗 DOCKERHUB_USERNAME | Username Docker Hub | Container release |
| 🆗 DOCKERHUB_TOKEN | Access token Docker Hub | Container release |
| 🆗 GITHUB_USERNAME | Username GitHub pour GHCR | Container release |
| 🆗 GITHUB_TOKEN | GitHub PAT avec scope packages:write + contents:write | Container + GitHub release |François-Guillaume Ribreau (ee46a78d) at 16 Mar 12:47
Merge branch 'feature/sdk-releases' into 'master'
... and 1 more commit
:rotating_light::rotating_light::rotating_light: Variables to add in gitlab CI: :rotating_light::rotating_light:
| Variable | Description | Scope |
|----------------------|-------------------------------------------------------|----------------------------|
| 🆗 GITLAB_RELEASE_TOKEN | Personal access token avec scope write_repository | Toutes les releases |
| 🆗 NPM_TOKEN | Token npm automation pour publier sur npmjs.org | SDK release |
| 🆗 CARGO_TOKEN | Token API crates.io | SDK release |
| 🆗 DOCKERHUB_USERNAME | Username Docker Hub | Container release |
| 🆗 DOCKERHUB_TOKEN | Access token Docker Hub | Container release |
| 🆗 GITHUB_USERNAME | Username GitHub pour GHCR | Container release |
| 🆗 GITHUB_TOKEN | GitHub PAT avec scope packages:write + contents:write | Container + GitHub release |Avoid direct curl | bash installer execution in CI.
Line 14 executes an unpinned remote script, which weakens supply-chain guarantees for a release gate job. Prefer a pinned installer source (commit/tag) plus checksum verification before execution.
Verify each finding against the current code and only fix it if needed.
In `@ci/semver-checks.gitlab-ci.yml` around lines 14 - 15, The CI currently pipes
an unpinned remote script (install-from-binstall-release.sh) into bash and
installs cargo-semver-checks directly, which is a supply-chain risk; update the
job to fetch a pinned release (specific commit SHA or tag) of the
installer/script and verify its checksum or GPG signature before executing, or
avoid the remote-script path entirely by using a reproducible alternative (e.g.,
install cargo-semver-checks from a verified cargo/crates.io release or use a
pinned cargo-binstall binary) — change references to
install-from-binstall-release.sh and the cargo binstall invocation for
[email protected] so the pipeline downloads a pinned artifact, performs
integrity verification, then executes the trusted installer.Avoid embedding credentials in Git remote URLs.
Line 89 places the token directly in the URL, which is high-risk for leakage and scanner findings. Use a clean remote URL plus auth header/credential helper instead.
- - git remote set-url origin "https://oauth2:${GITLAB_RELEASE_TOKEN}@gitlab.com/${CI_PROJECT_PATH}.git"
+ - git remote set-url origin "https://gitlab.com/${CI_PROJECT_PATH}.git"
+ - git config http.https://gitlab.com/.extraheader "Authorization: Bearer ${GITLAB_RELEASE_TOKEN}"
‼️ IMPORTANT Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- git remote set-url origin "https://gitlab.com/${CI_PROJECT_PATH}.git"
- git config http.https://gitlab.com/.extraheader "Authorization: Bearer ${GITLAB_RELEASE_TOKEN}"Verify each finding against the current code and only fix it if needed.
In `@ci/release-sdk.gitlab-ci.yml` at line 89, Replace the embedded-token remote
URL by setting the remote to a clean URL via the existing git remote set-url
origin command (use "https://gitlab.com/${CI_PROJECT_PATH}.git") and stop
interpolating GITLAB_RELEASE_TOKEN into the URL; then authenticate via a safe
mechanism instead (for example configure an HTTP auth header or credential
helper in CI using the GITLAB_RELEASE_TOKEN—set an auth header like
AUTHORIZATION: Bearer $GITLAB_RELEASE_TOKEN or use git credential helper) so the
token is never written into the remote URL. Ensure changes touch the git remote
set-url origin invocation and any CI steps that currently assume the
token-in-URL behavior.Actionable comments posted: 2
cliff.toml (1)
56-62: Duplicate^ciparser causes unreachable grouping rule.Line 56 already captures
^ci, so the^ci -> CIrule at Line 61 will never be used. Keep only one CI mapping to avoid ambiguous changelog grouping.Suggested cleanup
commit_parsers = [ { message = "^.*!", group = "Breaking Changes" }, { body = "BREAKING CHANGE", group = "Breaking Changes" }, @@ - { message = "^ci", group = "CI/CD" }, + { message = "^ci", group = "CI/CD" }, { message = "^build", group = "Build" }, @@ - { message = "^ci", group = "CI" }, { body = ".*security", group = "Security" }, ]
🤖 Prompt for AI AgentsVerify each finding against the current code and only fix it if needed. In `@cliff.toml` around lines 56 - 62, There are two duplicate commit-parsing entries matching the same pattern { message = "^ci" } which makes the later { message = "^ci", group = "CI" } unreachable; remove or consolidate the duplicate by keeping a single { message = "^ci", group = "CI" } (or change the original to the intended group) and delete the other { message = "^ci", ... } entry so only one CI mapping remains.ci/README.md (2)
89-105: Consider documenting SDK-specific requirements and validations.The SDK Release Process section is clear but could be enhanced by mentioning:
- Which CI variables are required for SDK releases (NPM_TOKEN, CARGO_TOKEN)
- Whether semver-checks validation (mentioned in PR objectives) runs as part of the release pipeline or during MRs
📝 Suggested additions to SDK Release Process## SDK Release Process SDK releases are independent from main releases and publish the TypeScript and Rust clients. + +**Required CI Variables**: `NPM_TOKEN`, `CARGO_TOKEN` 1. On the master branch pipeline, find the manual jobs in `trigger-release` stage: - `sdk-release:patch` - Bumps patch version (1.0.0 → 1.0.1) - `sdk-release:minor` - Bumps minor version (1.0.0 → 1.1.0) - `sdk-release:major` - Bumps major version (1.0.0 → 2.0.0) 2. Click the play button on the desired release type 3. The job will: - Bump versions in clients/rust/Cargo.toml and clients/typescript/package.json - Create a commit with the version bump - Create and push a git tag (e.g., sdk-v1.0.1) 4. The tag triggers the SDK release pipeline which: - Publishes `hook0-client` to npm - Publishes `hook0-client` to crates.io + +**Note**: Semantic versioning compliance for Rust clients is validated automatically on merge requests to master.
🤖 Prompt for AI AgentsVerify each finding against the current code and only fix it if needed. In `@ci/README.md` around lines 89 - 105, Update the "SDK Release Process" docs to explicitly list required CI variables (NPM_TOKEN and CARGO_TOKEN) and where they must be set (pipeline/CI project settings) and clarify whether the semver-checks validation runs in the release pipeline or during merge requests (reference the semver-checks job and the trigger-release stage and sdk-release:patch/minor/major jobs); add a short note about any additional required permissions or scopes for those tokens and a one-line pointer to the semver-checks behavior (e.g., "semver-checks runs on MRs" or "semver-checks runs as part of the SDK release pipeline") so readers know when validation occurs.
17-23: Clarify setup instructions for all required tokens.The current instructions focus only on creating
GITLAB_RELEASE_TOKENbut don't guide users on obtaining tokens from external services (npm, crates.io, Docker Hub, GitHub). Additionally, marking usernames as "Masked" is unnecessary since they're not sensitive.
📝 Suggested improvement for setup clarity### Setup in GitLab -1. Go to https://gitlab.com/-/profile/personal_access_tokens -2. Create a token with `write_repository` scope for `GITLAB_RELEASE_TOKEN` -3. Go to Settings > CI/CD > Variables -4. Add each variable with its value -5. Mark all as "Protected" and "Masked" +1. Obtain required tokens: + - GitLab: Create a [personal access token](https://gitlab.com/-/profile/personal_access_tokens) with `write_repository` scope + - npm: Create an [automation token](https://docs.npmjs.com/creating-and-viewing-access-tokens) for publishing + - crates.io: Generate an [API token](https://crates.io/settings/tokens) + - Docker Hub: Create an [access token](https://hub.docker.com/settings/security) + - GitHub: Create a [PAT](https://github.com/settings/tokens) with `packages:write` and `contents:write` scopes +2. Go to Settings > CI/CD > Variables in your GitLab project +3. Add each variable from the table above: + - Mark all tokens as "Protected" and "Masked" + - Mark usernames as "Protected" only (no need to mask)
🤖 Prompt for AI AgentsVerify each finding against the current code and only fix it if needed. In `@ci/README.md` around lines 17 - 23, Update the "Setup in GitLab" section to list all required CI variables (e.g., GITLAB_RELEASE_TOKEN, NPM_TOKEN, CRATES_IO_TOKEN, DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, GITHUB_TOKEN) and add one-line guidance for obtaining each (link or source: npm personal access token, crates.io API token, Docker Hub settings, GitHub PAT), then instruct adding them under Settings > CI/CD > Variables and mark only sensitive secrets (tokens/passwords) as "Protected" and "Masked" while noting that usernames (e.g., DOCKERHUB_USERNAME) should be "Protected" but not "Masked"; update the bullet steps in the "Setup in GitLab" block to reflect these variable names and masking/protection guidance.
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@ci/release-sdk.gitlab-ci.yml`:
- Line 89: Replace the embedded-token remote URL by setting the remote to a
clean URL via the existing git remote set-url origin command (use
"https://gitlab.com/${CI_PROJECT_PATH}.git") and stop interpolating
GITLAB_RELEASE_TOKEN into the URL; then authenticate via a safe mechanism
instead (for example configure an HTTP auth header or credential helper in CI
using the GITLAB_RELEASE_TOKEN—set an auth header like AUTHORIZATION: Bearer
$GITLAB_RELEASE_TOKEN or use git credential helper) so the token is never
written into the remote URL. Ensure changes touch the git remote set-url origin
invocation and any CI steps that currently assume the token-in-URL behavior.
In `@ci/semver-checks.gitlab-ci.yml`:
- Around line 14-15: The CI currently pipes an unpinned remote script
(install-from-binstall-release.sh) into bash and installs cargo-semver-checks
directly, which is a supply-chain risk; update the job to fetch a pinned release
(specific commit SHA or tag) of the installer/script and verify its checksum or
GPG signature before executing, or avoid the remote-script path entirely by
using a reproducible alternative (e.g., install cargo-semver-checks from a
verified cargo/crates.io release or use a pinned cargo-binstall binary) — change
references to install-from-binstall-release.sh and the cargo binstall invocation
for [email protected] so the pipeline downloads a pinned artifact,
performs integrity verification, then executes the trusted installer.
---
Nitpick comments:
In `@ci/README.md`:
- Around line 89-105: Update the "SDK Release Process" docs to explicitly list
required CI variables (NPM_TOKEN and CARGO_TOKEN) and where they must be set
(pipeline/CI project settings) and clarify whether the semver-checks validation
runs in the release pipeline or during merge requests (reference the
semver-checks job and the trigger-release stage and
sdk-release:patch/minor/major jobs); add a short note about any additional
required permissions or scopes for those tokens and a one-line pointer to the
semver-checks behavior (e.g., "semver-checks runs on MRs" or "semver-checks runs
as part of the SDK release pipeline") so readers know when validation occurs.
- Around line 17-23: Update the "Setup in GitLab" section to list all required
CI variables (e.g., GITLAB_RELEASE_TOKEN, NPM_TOKEN, CRATES_IO_TOKEN,
DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, GITHUB_TOKEN) and add one-line guidance for
obtaining each (link or source: npm personal access token, crates.io API token,
Docker Hub settings, GitHub PAT), then instruct adding them under Settings >
CI/CD > Variables and mark only sensitive secrets (tokens/passwords) as
"Protected" and "Masked" while noting that usernames (e.g., DOCKERHUB_USERNAME)
should be "Protected" but not "Masked"; update the bullet steps in the "Setup in
GitLab" block to reflect these variable names and masking/protection guidance.
In `@cliff.toml`:
- Around line 56-62: There are two duplicate commit-parsing entries matching the
same pattern { message = "^ci" } which makes the later { message = "^ci", group
= "CI" } unreachable; remove or consolidate the duplicate by keeping a single {
message = "^ci", group = "CI" } (or change the original to the intended group)
and delete the other { message = "^ci", ... } entry so only one CI mapping
remains.Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d3e531c4-f93d-499b-ab82-fb99f67bf832
Cargo.lock is excluded by !**/*.lock
.gitlab-ci.ymlapi/.gitlab-ci.ymlapi/Cargo.tomlci/README.mdci/pre-release-sdk.shci/pre-release.shci/release-sdk.gitlab-ci.ymlci/semver-checks.gitlab-ci.ymlclients/rust/.gitlab-ci.ymlclients/rust/Cargo.tomlclients/typescript/.gitlab-ci.ymlcliff.tomlfrontend/.gitlab-ci.ymloutput-worker/Cargo.tomlRomain Baumier (b41109a5) at 16 Mar 08:43
Merge remote-tracking branch 'origin/master' into feature/sdk-releases
... and 40 more commits
@dsferruzza aie tu m'as pas ping sur ce commentaire donc je ne l'ai pas vu :/
(je pensais l'avoir fix) pour moi ces tests devraient utiliser nos repository pour créer les ressources, par contre valider la suppression c'est très pertinent car ça nous permet de faire évoluer ce code pour faire du load-test (un user avec beaucoup de données d'associées)
@rbaumier please rebase it and I will merge it then
closing, will re-do it later
closing, will re-do it later
Fixes #29 & #94
Fixes #42 & #29
Allows each subscription to have custom retry configuration including:
closing, will re-do it later
Fixes #104
Database changes:
Security features:
Frontend enhancements:
Documentation:
closing, will re-do it later
Fixes #95
Implement operational webhooks similar to Svix for monitoring webhook system health and status.
Features:
Database changes:
API endpoints:
Security:
This enables monitoring of webhook delivery health, automatic failure handling, and proactive issue detection in the webhook system.