Skip to content

gitlab-ci: Surface failed GitLab job traces in the Actions log on failure#28

Open
diaconuccalin wants to merge 2 commits into
pulp-platform:mainfrom
diaconuccalin:error_log_expose
Open

gitlab-ci: Surface failed GitLab job traces in the Actions log on failure#28
diaconuccalin wants to merge 2 commits into
pulp-platform:mainfrom
diaconuccalin:error_log_expose

Conversation

@diaconuccalin

Copy link
Copy Markdown

Summary

  • On pipeline failure, the gitlab-ci action now fetches the traces of failed GitLab jobs via the API and tails the last 200 lines of each into the GitHub Actions log, grouped per job — so failures can be debugged without direct access to the GitLab instance, using the same mirror token the action already uses.
  • Untrusted trace content is wrapped in ::stop-commands:: with a random token, so lines like ::error:: in a trace are printed literally rather than interpreted as workflow commands.
  • The API token is passed to curl via a 0600 config file (-K) rather than on the command line, keeping it out of argv/ps.
  • Trace filenames are suffixed with the unique job id, avoiding collisions between retried or same-named jobs.
  • The step is gated on if: failure() and the script always exits 0, so it can never turn a green run red or mask the real failure.

…lure

On pipeline failure, fetch the traces of failed GitLab jobs via the API and
tail them into the GitHub Actions log, grouped per job, so failures can be
debugged without direct GitLab access. Untrusted trace content is wrapped in
::stop-commands:: with a random token. The API token is passed via a 0600 curl
config file rather than argv, and trace filenames are suffixed with the job id
to avoid collisions between same-named jobs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@diaconuccalin diaconuccalin requested a review from Xeratec May 27, 2026 16:50
@diaconuccalin diaconuccalin self-assigned this May 27, 2026
@diaconuccalin diaconuccalin added the enhancement New feature or request label May 27, 2026

@Xeratec Xeratec left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I just have one change and one request. Would it be possible to test this action in one of your repos, like MAGIA? I believe this would be possible by tagging the commit directly.

For example, the workflow could use:

uses: diaconuccalin/pulp-actions/gitlab-ci@error_log_expose

or, for the specific commit:

uses: diaconuccalin/pulp-actions/gitlab-ci@ac8a2e13f0f99bef678224f61fe7cf1b65575a08

Comment thread gitlab-ci/README.md

Optional inputs controlling the Gitlab API version and timeouts are available; see `action.yml`.

On pipeline failure, the action automatically fetches the traces of failed GitLab jobs and tails them into the GitHub Actions log (grouped per job), so you can see what went wrong without leaving the Actions UI and without needing personal access to the GitLab instance (the traces are fetched using the same mirror `token` the action already uses). Only the last 200 lines of each job's trace are printed (the failure is usually at the end); see the full trace in GitLab or adjust the parameter in the .yml if you need more context.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tail -n 200 is hardcoded in action.yml, so there's no input for it. Please expose it as an input (e.g. trace-tail-lines, defaulting to 200).

@fischeti

Copy link
Copy Markdown
Contributor

I think this feature should be opt in. One of the reasons why we do have an internal Gitlab CI is to shield sensitive information from the public e.g. technology information.

diaconuccalin added a commit to pulp-platform/magia-sdk that referenced this pull request Jun 11, 2026
Point the workflow at the fork commit under review in pulp-platform/pulp-actions#28,
which internalises error log fetching and display into the reusable action.
Remove the now-redundant inline steps from this repo.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@diaconuccalin

Copy link
Copy Markdown
Author

Looks good! I just have one change and one request. Would it be possible to test this action in one of your repos, like MAGIA? I believe this would be possible by tagging the commit directly.

For example, the workflow could use:

uses: diaconuccalin/pulp-actions/gitlab-ci@error_log_expose

or, for the specific commit:

uses: diaconuccalin/pulp-actions/gitlab-ci@ac8a2e13f0f99bef678224f61fe7cf1b65575a08

Hey @Xeratec, here it is, a CI run with a failure meant to surface the error log.

Add `expose-error-logs` (default: false) to avoid leaking sensitive
trace content by default, and `trace-tail-lines` (default: 200) to
make the tail length configurable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@diaconuccalin diaconuccalin requested a review from Xeratec June 11, 2026 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants