Skip to content

feat(gitlab): preview deployments for merge requests via webhook (ports #4089)#121

Open
AminDhouib wants to merge 2 commits into
canaryfrom
port/upr-4089
Open

feat(gitlab): preview deployments for merge requests via webhook (ports #4089)#121
AminDhouib wants to merge 2 commits into
canaryfrom
port/upr-4089

Conversation

@AminDhouib

Copy link
Copy Markdown
Member

Ports Dokploy#4089 by @edouard-mangel (open upstream at port time). Adds GitLab merge-request preview deployments, mirroring the existing GitHub flow.

What it does

New webhook endpoint apps/dokploy/pages/api/deploy/gitlab.ts (authenticated by a per-provider webhook_secret) handling:

  • Merge Request Hook: open/update/reopen/labeled create or update a preview; close/merge tear it down. Label filtering + preview-limit honored.
  • Push / Tag Push Hook: deploy apps/compose with matching triggerType, filtered by watch paths.
  • Permission gate: MR authors without Developer+ (level 30) access are blocked and notified once via a deduplicated MR note (checkGitlabMemberPermissions + createSecurityBlockedMRNote).

Server: gitlab table gains webhook_secret (migration slot 0195, backfills existing providers with gen_random_bytes); findGitlabByWebhookSecret; MR-note helpers in utils/providers/gitlab; gitlab.one is now org-scoped since it returns the secret.

UI: the GitLab provider dialog shows the webhook URL + secret (copy buttons); preview settings describe GitLab access levels for GitLab apps.

Fork adaptations

Verification

  • pnpm --filter=dokploy typecheck clean.
  • New tests pass: __test__/deploy/gitlab.test.ts (15) + __test__/utils/gitlab-preview-utils.test.ts (12).
  • Full vitest suite: 623 passed; the 9 failures are all the pre-existing Linux-only application.real.test.ts.
  • biome clean.

Overlaps (for the conflict matrix)

edouard-mangel and others added 2 commits July 12, 2026 22:29
Adds GitLab preview deployment support mirroring the existing GitHub flow. A
new webhook endpoint (pages/api/deploy/gitlab.ts) handles Push, Tag Push, and
Merge Request hooks:
- MR open/update/reopen/labeled create or update a preview; close/merge tear
  it down.
- Push/Tag hooks deploy apps configured with the matching trigger type,
  filtered by watch paths.
- MR-author permission gate: authors without Developer+ access are blocked and
  notified once via a deduplicated MR note.

Server side:
- The gitlab table gains a webhook_secret column (migration backfills existing
  providers) used to authenticate incoming webhooks.
- findGitlabByWebhookSecret looks up the provider by token.
- utils/providers/gitlab gains checkGitlabMemberPermissions plus the MR-note
  helpers.
- gitlab.one is org-scoped now that it returns the webhook secret.

UI: the GitLab provider dialog shows the webhook URL and secret to copy into
GitLab; the preview settings describe GitLab access levels for GitLab apps.

Ports Dokploy#4089 by @edouard-mangel (open upstream at port time).
Fork adaptations: preview limit is enforced only when creating a new preview
(as in the Dokploy#4139 fix), not on updates to existing ones; migration uses fork
slot 0195; sslip.io preview-domain branding preserved.
createPreviewDeployment posted the initializing PR comment via the GitHub App
unconditionally. GitLab preview apps have no GitHub provider, so authGithub
threw before the preview row was inserted, which would break GitLab previews.
Guard the comment behind application.sourceType === "github"; GitLab previews
surface status through MR notes posted by the GitLab webhook handler instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants