From 68f2cec077a2a993e3536eff2a46567de8a9cdce Mon Sep 17 00:00:00 2001
From: Diogo Simoes <diogo.miguel.simoes@gmail.com>
Date: Fri, 25 Oct 2024 16:17:33 +0100
Subject: [PATCH] Gitlab docs improved; gitlab webhook secret config
 standadization

---
 docs/docs/installation/gitlab.md         | 33 +++++++++++++++++-------
 pr_agent/servers/gitlab_webhook.py       |  4 +--
 pr_agent/settings/.secrets_template.toml |  2 ++
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/docs/docs/installation/gitlab.md b/docs/docs/installation/gitlab.md
index 1551d2a17..5e0191105 100644
--- a/docs/docs/installation/gitlab.md
+++ b/docs/docs/installation/gitlab.md
@@ -42,21 +42,36 @@ Note that if your base branches are not protected, don't set the variables as `p
 
 ## Run a GitLab webhook server
 
-1. From the GitLab workspace or group, create an access token. Enable the "api" scope only.
+1. From the GitLab workspace or group, create an access token with "Reporter" role and "api" scope.
 
 2. Generate a random secret for your app, and save it for later. For example, you can use:
 
 ```
 WEBHOOK_SECRET=$(python -c "import secrets; print(secrets.token_hex(10))")
 ```
-3. Follow the instructions to build the Docker image, setup a secrets file and deploy on your own server from [here](https://qodo-merge-docs.qodo.ai/installation/github/#run-as-a-github-app) steps 4-7.
 
-4. In the secrets file, fill in the following:
-    - Your OpenAI key.
-    - In the [gitlab] section, fill in personal_access_token and shared_secret. The access token can be a personal access token, or a group or project access token.
-    - Set deployment_type to 'gitlab' in [configuration.toml](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml)
+3. Clone this repository:
 
-5. Create a webhook in GitLab. Set the URL to ```http[s]://<PR_AGENT_HOSTNAME>/webhook```. Set the secret token to the generated secret from step 2.
-In the "Trigger" section, check the ‘comments’ and ‘merge request events’ boxes.
+```
+git clone https://github.com/Codium-ai/pr-agent.git
+```
+
+4. Prepare variables and secrets. Skip this setp if you plan on settings these as environment variables when running the agent:
+  1. In the configuration file/variables:
+    - Set `deployment_type` to "gitlab"
+
+  2. In the secrets file/variables:
+    - Set your AI model key in the respective section
+    - In the [gitlab] section, set `personal_access_token` (with token from step 1) and `webhook_secret` (with secret from step 2)
+
+
+5. Build a Docker image for the app and optionally push it to a Docker repository. We'll use Dockerhub as an example:
+```
+docker build . -t gitlab_pr_agent --target gitlab_webhook -f docker/Dockerfile
+docker push codiumai/pr-agent:gitlab_webhook  # Push to your Docker repository
+```
+
+6. Create a webhook in GitLab. Set the URL to ```http[s]://<PR_AGENT_HOSTNAME>/webhook```, the secret token to the generated secret from step 2, andenable the triggers `push`, `comments` and `merge request events`.
 
-6. Test your installation by opening a merge request or commenting or a merge request using one of CodiumAI's commands.
+7. Test your installation by opening a merge request or commenting or a merge request using one of CodiumAI's commands.
+boxes
\ No newline at end of file
diff --git a/pr_agent/servers/gitlab_webhook.py b/pr_agent/servers/gitlab_webhook.py
index e3e80dfae..3842245cb 100644
--- a/pr_agent/servers/gitlab_webhook.py
+++ b/pr_agent/servers/gitlab_webhook.py
@@ -159,8 +159,8 @@ async def inner(data: dict):
             except Exception as e:
                 get_logger().error(f"Failed to validate secret {request_token}: {e}")
                 return JSONResponse(status_code=status.HTTP_401_UNAUTHORIZED, content=jsonable_encoder({"message": "unauthorized"}))
-        elif get_settings().get("GITLAB.SHARED_SECRET"):
-            secret = get_settings().get("GITLAB.SHARED_SECRET")
+        elif get_settings().get("GITLAB.SHARED_SECRET") or get_settings().get("GITLAB.WEBHOOK_SECRET"):
+            secret = get_settings().get("GITLAB.SHARED_SECRET") or get_settings().get("GITLAB.WEBHOOK_SECRET")
             if not request.headers.get("X-Gitlab-Token") == secret:
                 get_logger().error("Failed to validate secret")
                 return JSONResponse(status_code=status.HTTP_401_UNAUTHORIZED, content=jsonable_encoder({"message": "unauthorized"}))
diff --git a/pr_agent/settings/.secrets_template.toml b/pr_agent/settings/.secrets_template.toml
index 674a3221c..9b194dda6 100644
--- a/pr_agent/settings/.secrets_template.toml
+++ b/pr_agent/settings/.secrets_template.toml
@@ -60,6 +60,8 @@ webhook_secret = "<WEBHOOK SECRET>"  # Optional, may be commented out.
 [gitlab]
 # Gitlab personal access token
 personal_access_token = ""
+webhook_secret = ""
+shared_secret = ""  # same as shared_secret, kept for backwards compatibility
 
 [bitbucket]
 # For Bitbucket personal/repository bearer token