Skip to content

Add support for disabling SSL verification in GitLab client#1364

Open
BB-steel wants to merge 1 commit intopython-semantic-release:masterfrom
BB-steel:allow_insecure_gitlab
Open

Add support for disabling SSL verification in GitLab client#1364
BB-steel wants to merge 1 commit intopython-semantic-release:masterfrom
BB-steel:allow_insecure_gitlab

Conversation

@BB-steel
Copy link

@BB-steel BB-steel commented Nov 7, 2025
edited by codejedi365
Loading

Purpose

This pull request fixes a bug where python-semantic-release fails to create releases on self-hosted GitLab instances that use self-signed or internally-issued SSL certificates.

When the insecure = true flag is set in pyproject.toml, the release process currently fails with an SSLCertVerificationError, preventing users from publishing releases in their private GitLab environments. This PR ensures that the insecure flag is correctly honored.

Solves: requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed when running semantic-release publish against a self-hosted GitLab instance.

Rationale

The root cause of the issue is that the allow_insecure parameter in the semantic_release.hvcs.gitlab.Gitlab class was not being passed down to the underlying python-gitlab client.

The gitlab.Gitlab constructor accepts an ssl_verify parameter, which defaults to True. The python-semantic-release wrapper did not utilize the allow_insecure flag to modify this behavior. As a result, the python-gitlab client always attempted to verify SSL certificates, regardless of the user's configuration in pyproject.toml.

The solution is to explicitly pass ssl_verify=not allow_insecure during the initialization of the gitlab.Gitlab client within semantic_release/hvcs/gitlab.py. This directly connects the configuration option to the client's behavior, making the insecure flag work as intended.

Workarounds like setting REQUESTS_CA_BUNDLE or GITLAB_SSL_VERIFY environment variables were considered but are less ideal as they require extra configuration in the user's CI/CD environment rather than fixing the bug at its source.

How did you test?

This change was validated through manual end-to-end testing in a CI/CD environment that replicates the original issue.

Methodology:

  1. Forked the Repository: Created a fork of python-semantic-release and applied the code change on a new branch.
  2. CI Pipeline Setup: Configured a GitLab CI pipeline to run against a self-hosted GitLab instance using a self-signed certificate.
  3. Configuration: The pyproject.toml file was configured with the following remote settings: 
    [tool.semantic_release.remote]
type = "gitlab"
insecure = true
gitlab_url = "https://your.self-hosted.gitlab"
  4. Installation: The CI job was modified to install python-semantic-release directly from the forked Git repository and branch. 
    - uv pip install "git+https://github.com/your-username/python-semantic-release.git@fix/gitlab-ssl-verify"
  5. Execution: Ran the semantic-release publish command.
  6. Validation:
    • Before Fix: The pipeline failed with the SSLCertVerificationError.
    • After Fix: The pipeline successfully executed the publish step, creating a new release in the self-hosted GitLab project.

No edge cases were identified, as this change simply wires a boolean flag to its intended destination. Existing unit tests continue to pass.

How to Verify

A reviewer can verify this fix by following these steps:

  1. Check out this PR branch locally.
  2. Set up a test environment pointing to a self-hosted GitLab instance that uses a self-signed or non-publicly trusted SSL certificate.
  3. In a test project, configure pyproject.toml as follows: 
    [tool.semantic_release]
# ... other settings
[tool.semantic_release.remote]
type = "gitlab"
gitlab_url = "https://your.gitlab.instance"
token = { env = "GITLAB_TOKEN" }
insecure = true
  4. Install this patched version of python-semantic-release.
  5. Run semantic-release publish.
  6. Expected Result: The command should complete successfully, creating a release on the GitLab instance without any SSL errors. To confirm the failure, run the same command on the main branch, which should fail with the SSLCertVerificationError.

PR Completion Checklist

  • Reviewed & followed the Contributor Guidelines
  • Changes Implemented & Validation pipeline succeeds
  • Commits follow the Conventional Commits standard and are separated into the proper commit type and scope (recommended order: test, build, feat/fix, docs)
  • Appropriate Unit tests added/updated
  • Appropriate End-to-End tests added/updated
  • Appropriate Documentation added/updated and syntax validated for sphinx build (see Contributor Guidelines)

@codejedi365 codejedi365 requested a review from Copilot November 7, 2025 15:39
Copilot AI reviewed Nov 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds SSL certificate verification configuration to the GitLab HVCS client by passing the ssl_verify parameter to the gitlab.Gitlab constructor.

  • Adds ssl_verify=not allow_insecure parameter when initializing the GitLab client to properly handle SSL/TLS certificate verification

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codejedi365
Copy link
Contributor

codejedi365 commented Nov 13, 2025

Thank you for contributing to PSR to help make it better for everyone.

This PR ensures that the insecure flag is correctly honored.

It was actually not intended for this purpose but I am amenable to adapting it to allow insecure SSL configurations. With this in mind, it is important to update the documentation around the insecure option in the configuration to provide an explanation for what it supports. The original intent was to help prevent typos in the configuration for those who might have forgotten the s on https. It would then have to be deliberate to allow a plaintext communication.

Separately, we would also need to enable insecure SSL for the other VCS's which use the requests library to be consistent.

This change was validated through manual end-to-end testing in a CI/CD environment that replicates the original issue.

Although, I appreciate you have tested it manually, that does not help us prevent regressions in the future. This should be a fairly simple mocking action of the requests library to simulate the SSL failure exception right?

  1. Execution: Ran the semantic-release publish command.

I am glad you listed out your methodology as that is very helpful for understanding the workflow tested. However, I am confused about why you used the publish command? The publish command is disabled for GitLab--did you mean version?

Lastly, please only complete the PR checklist when you have completed the actions requested.

@codejedi365 codejedi365 added the awaiting-reply Waiting for response label Nov 13, 2025
@github-actions
Copy link

github-actions bot commented Nov 27, 2025

This PR has not received a response in 14 days. If no response is received in 7 days, it will be closed. We look forward to hearing from you.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

This PR was closed because no response was received.

@github-actions github-actions bot closed this Dec 4, 2025
@codejedi365 codejedi365 reopened this Dec 8, 2025
@codejedi365 codejedi365 added confirmed Prevent from becoming stale and removed awaiting-reply Waiting for response unresponsive labels Dec 8, 2025
@codejedi365 codejedi365 assigned codejedi365 and unassigned BB-steel Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@codejedi365 codejedi365

Labels

confirmed Prevent from becoming stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BB-steel @codejedi365 @SteelScript