GitLab Integration

Oore integrates with GitLab using:

• Webhooks: For receiving push and merge request events
• OAuth (optional): For cloning private repositories

GitLab webhooks use token-based authentication (simpler than GitHub’s HMAC signatures).

Quick Setup

1. Add repository to Oore

   oore repo add \
     --provider gitlab \
     --owner myuser \
     --repo my-project \
     --webhook-secret "my-secure-secret" \
     --gitlab-project-id 12345678

2. Get webhook URL

   oore repo webhook-url <repo-id>

3. Configure in GitLab

   Go to Settings → Webhooks in your GitLab project:

   Field	Value
   URL	Webhook URL from step 2
   Secret token	Same secret from step 1
   Push events	✓
   Merge request events	✓

4. Test the webhook

   Click “Test” → “Push events” in GitLab, then verify:

   oore webhook list

GitLab OAuth Setup

For private repositories, automatic webhook creation, and status updates:

1. Create GitLab Application

gitlab.com

Go to GitLab → Settings → Applications:

Field	Value
Name	Oore CI
Redirect URI	https://your-server.com/setup/gitlab/callback
Confidential	Yes
Scopes	api, read_repository

Configure in /etc/oore/oore.env:

OORE_GITLAB_CLIENT_ID=your-application-id
OORE_GITLAB_CLIENT_SECRET=your-application-secret

Self-Hosted

Create the OAuth application on your GitLab instance, then register it with Oore:

oore gitlab register \
  --instance https://gitlab.mycompany.com \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_CLIENT_SECRET \
  --admin-token YOUR_TOKEN

2. Connect Account

# For gitlab.com
oore gitlab connect --admin-token YOUR_TOKEN

# For self-hosted
oore gitlab connect --instance https://gitlab.mycompany.com --admin-token YOUR_TOKEN

Follow the URL to authorize, then complete with:

oore gitlab callback "<REDIRECT_URL>" --admin-token YOUR_TOKEN

3. Enable Projects

List available projects and enable CI:

# List accessible projects
oore gitlab projects --admin-token YOUR_TOKEN

# Enable CI for a project (creates repository and webhook automatically)
oore gitlab enable 12345678 --admin-token YOUR_TOKEN

How It Works

GitLab                          oored                      Build
  │                               │                          │
  │  POST /webhooks/gitlab/:id    │                          │
  ├──────────────────────────────▶│                          │
  │                               │ 1. Verify token          │
  │                               │ 2. Store event           │
  │                               │ 3. Queue for processing  │
  │        {"status":"ok"}        │                          │
  │◀──────────────────────────────┤                          │

Security: Token Storage

GitLab tokens are stored securely:

1. Token sent in X-Gitlab-Token header
2. Oore stores HMAC-SHA256(token, pepper) in database
3. On verification, compute HMAC and compare

Note

Even if the database is compromised, original tokens cannot be recovered.

Event Types

Event	Trigger
Push Hook	Code pushed
Merge Request Hook	MR opened/updated/merged
Tag Push Hook	New tag created

GitLab.com vs Self-Hosted

GitLab.com

Configure environment variables for OAuth:

OORE_GITLAB_CLIENT_ID=your-app-id
OORE_GITLAB_CLIENT_SECRET=your-app-secret

Self-Hosted

Register OAuth app credentials via CLI:

oore gitlab register \
  --instance https://gitlab.mycompany.com \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_CLIENT_SECRET \
  --admin-token YOUR_TOKEN

Optional security settings in /etc/oore/oore.env:

OORE_GITLAB_ALLOWED_HOSTS=gitlab.mycompany.com,gitlab.internal.com
OORE_GITLAB_CA_BUNDLE=/etc/ssl/certs/internal-ca.pem

Troubleshooting

Webhooks Not Received

• Check URL is publicly accessible
• Token must match exactly (case-sensitive)
• SSL certificate must be valid

View logs in GitLab → Settings → Webhooks → Recent events

Token Verification Failures

# Update token in Oore
oore repo add --provider gitlab --owner myuser --repo my-project \
  --webhook-secret "new-secret" --force

# Then update in GitLab webhook settings

Comparing GitHub vs GitLab

Feature	GitHub	GitLab
Webhook auth	HMAC-SHA256 signature	Token header
App model	GitHub App	OAuth + Webhooks
Token storage	N/A (signature-based)	HMAC hashed

Complete Example (OAuth Flow)

# 1. Connect GitLab account
oore gitlab connect --admin-token YOUR_TOKEN
# Follow the URL, authorize, then:
oore gitlab callback "<REDIRECT_URL>" --admin-token YOUR_TOKEN

# 2. List projects
oore gitlab projects --admin-token YOUR_TOKEN

# 3. Enable CI for a project (creates repo + webhook automatically)
oore gitlab enable 12345678 --admin-token YOUR_TOKEN

# 4. Push code
git push origin main

# 5. Check builds
oore build list

Manual Webhook Setup (Without OAuth)

If you prefer not to use OAuth:

# 1. Add repository manually
oore repo add \
  --provider gitlab \
  --owner myuser \
  --repo my-flutter-app \
  --webhook-secret "$(openssl rand -hex 20)" \
  --gitlab-project-id 12345678

# 2. Get webhook URL
oore repo webhook-url <repo-id>

# 3. Configure webhook manually in GitLab UI
# 4. Test webhook
# 5. Push code
git push origin main

# 6. Check builds
oore build list