docs: add Workload Identity documentation for GitLab CI/CD #984
Conversation
Add documentation for configuring Workload Identity with GitLab CI/CD, enabling secure authentication to Bytebase without long-lived credentials. - Create new gitlab-ci.mdx with step-by-step configuration guide - Include token exchange example using /v1/users/me for verification - Add complete GitOps workflow example with SQL review and rollout - Support self-hosted GitLab instances - Add troubleshooting section for common issues - Update docs.json navigation to include new page 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive documentation for configuring Workload Identity with GitLab CI/CD, enabling secure authentication to Bytebase without long-lived credentials via OIDC token exchange.
Changes:
- Add step-by-step guide for creating and configuring GitLab CI/CD Workload Identity in Bytebase
- Include complete GitOps workflow examples with SQL review and rollout stages
- Add self-hosted GitLab support and troubleshooting sections
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
docs/docs.json |
Add navigation entry for new GitLab CI/CD workload identity documentation |
docs/administration/user-groups/workload-identity/gitlab-ci.mdx |
Complete documentation guide for GitLab CI/CD Workload Identity setup and usage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Field | Description | Example | | ||
| |-------|-------------|---------| | ||
| | **Name** | Display name for this identity | `GitLab Deploy` | | ||
| | **Email** | Unique email prefix (automatically appended with `@workload.bytebase.com`) | `gitlab-deploy` | |
There was a problem hiding this comment.
The email field description is inconsistent with the GitHub Actions documentation. In the GitHub Actions guide (line 17), it states 'Unique email for this identity (must end with @workload.bytebase.com)' suggesting users should provide the full email. However, this documentation suggests users provide only the prefix. This inconsistency could confuse users. Please clarify whether users should provide the full email or just the prefix.
| | **Email** | Unique email prefix (automatically appended with `@workload.bytebase.com`) | `gitlab-deploy` | | |
| | **Email** | Unique email for this identity (must end with `@workload.bytebase.com`) | `gitlab-deploy@workload.bytebase.com` | |
| # SQL Review on merge requests | ||
| sql-review: | ||
| stage: review | ||
| image: bytebase/sql-review-action:latest |
There was a problem hiding this comment.
Incorrect Docker image reference. Based on other GitLab CI/CD examples in the codebase (e.g., docs/gitops/migration-based-workflow/sql-review-ci.mdx line 63), GitLab CI should use bytebase/bytebase-action:latest, not bytebase/sql-review-action:latest. The sql-review-action is a GitHub Action and cannot be used as a Docker image in GitLab CI.
| image: bytebase/sql-review-action:latest | |
| image: bytebase/bytebase-action:latest |
| sql-review --url ${BYTEBASE_URL} --token ${BYTEBASE_TOKEN} \ | ||
| --file-pattern "migrations/**/*.sql" |
There was a problem hiding this comment.
Incorrect command for SQL review. Based on the bytebase-action Docker image usage in other GitLab CI examples (e.g., docs/gitops/migration-based-workflow/sql-review-ci.mdx line 69), the correct command should be bytebase-action check instead of sql-review. The command format should match the established pattern used in GitLab CI pipelines.
Summary
bytebase-actionChanges
gitlab-ci.mdxwith step-by-step configuration guide/v1/users/mefor verificationdocs.jsonnavigationTest plan
Closes BYT-8716
🤖 Generated with Claude Code