feat(gitlab): support self-hosted GitLab via configurable API base

[b3cramer]

Problem

The GitLab features hard-coded https://gitlab.com/api/v4 as the API base (DEFAULT_GITLAB_API in lib/gitlab.axl). Every gitlab.* helper already accepted an api_base parameter, but no caller ever passed one — so commit statuses, the rolling MR status comment, and inline lint discussions could only ever target gitlab.com. Self-hosted GitLab instances had no way in.

Change

Add gitlab.resolve_api_base(env) and thread the resolved base through every gitlab.* call in the three GitLab features.

Resolution precedence:

1. ASPECT_GITLAB_API_URL — explicit override, matching the existing ASPECT_GITLAB_* escape-hatch family in gitlab_detect.axl (for Aspect-Workflows runners on a non-GitLab CI host posting back to a self-hosted GitLab MR). Accepts either a full API base (https://self-hosted.gitlab.com/api/v4) or a bare instance root (https://self-hosted.gitlab.com), to which /api/v4 is appended. A trailing slash is trimmed.
2. CI_API_V4_URL — set natively by GitLab CI on every job and already points at the running instance's API, so self-hosted GitLab CI needs zero extra config.
3. https://gitlab.com/api/v4 — unchanged default when neither is set.

Threaded through all three features:

• feature/gitlab_commit_statuses.axl — the commit-status POST
• feature/gitlab_status_comments.axl — all six notes list/create/update/delete calls
• feature/gitlab_lint_comments.axl — merge_requests.list_changes + all five discussions calls (carried on the gl context dict)

---

Changes are visible to end-users: yes

• Searched for relevant documentation and updated as needed: no — flagged for a follow-up docsite update

• Breaking change (forces users to change their own code or config): no — default behavior on gitlab.com is unchanged

• Suggested release notes appear below: yes

• GitLab integrations (commit statuses, MR status comments, inline lint discussions) now work against self-hosted GitLab. Under GitLab CI this is automatic via CI_API_V4_URL; elsewhere set ASPECT_GITLAB_API_URL to your instance's API base.

Test plan

• Added five resolve_api_base unit cases to lib/gitlab_test.axl (default, CI_API_V4_URL, override precedence, bare-root /api/v4 append, trailing-slash trim) plus the facade shape check.
• aspect dev test-gitlab-client → gitlab.axl smoke: OK
• aspect tests axl → 790 tests passed (confirms all three edited feature files still load)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35cfdd32f5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Thread GitLab host into token minting

When these branches return a self-hosted API base, the subsequent feature code sends API calls to that host but still mints/reuses tokens through gitlab_token_cache.get_or_mint using only project_path, project_id, and roles. GitLab project paths and numeric IDs are only unique within an instance, so a self-hosted job for a path that also exists elsewhere can get or reuse a token for the wrong installation and then all calls made with this new api_base will 401. Please include the resolved host/API base in the auth payload and token-cache key before using it for self-hosted calls.

Useful? React with 👍 / 👎.

[aspect-workflows]

✨ Aspect Workflows Tasks

📅 Mon Jun 15 23:29:42 UTC 2026

✅ 12 successful tasks

• ✅ build (build-gha-debug) · ⏱ 3m 2s · ✨ Aspect · 🐙 GitHub Actions · ☑️ Check
  💬 Bazel build complete (165 built)
• ✅ build (build-gha) · ⏱ 3m 44s · ✨ Aspect · 🐙 GitHub Actions · ☑️ Check
  💬 Bazel build complete (165 built)
• ✅ buildifier (buildifier-gha-debug) · ⏱ 1m 27s · 🐙 GitHub Actions · ☑️ Check
  💬 Format complete (clean)
• ✅ buildifier (buildifier-gha) · ⏱ 38.8s · 🐙 GitHub Actions · ☑️ Check
  💬 Format complete (clean)
• ✅ format (format-gha-debug) · ⏱ 1m 24s · 🐙 GitHub Actions · ☑️ Check
  💬 Format complete (clean)
• ✅ format (format-gha) · ⏱ 2m 11s · 🐙 GitHub Actions · ☑️ Check
  💬 Format complete (clean)
• ✅ gazelle (gazelle-gha-debug) · ⏱ 49.7s · 🐙 GitHub Actions · ☑️ Check
  💬 Gazelle complete (clean)
• ✅ gazelle (gazelle-from-source-gha) · ⏱ 2m 15s · 🐙 GitHub Actions · ☑️ Check
  💬 Gazelle complete (clean)
• ✅ lint (lint-gha-debug) · ⏱ 37.4s · 🐙 GitHub Actions · ☑️ Check
  💬 Lint complete (clean)
• ✅ lint (lint-gha) · ⏱ 1m 40s · 🐙 GitHub Actions · ☑️ Check
  💬 Lint complete (clean)
• ✅ test (test-gha-debug) · ⏱ 3m 51s · ✨ Aspect · 🐙 GitHub Actions · ☑️ Check
  💬 Bazel test complete (25/25 passed · 25 cached)
• ✅ test (test-gha) · ⏱ 4m 23s · ✨ Aspect · 🐙 GitHub Actions · ☑️ Check
  💬 Bazel test complete (25/25 passed · 25 cached)

---

_{⏱ Last updated Mon Jun 15 23:36:04 UTC 2026 · 📊 GitHub API quota 46/15,000 (0% used, resets in 54m)
🚀 Powered by Aspect CLI (v0.0.0-dev)  |  Aspect Build · X · LinkedIn · YouTube}

[b3cramer]

Docs for this (and the auth follow-up #1237): aspect-build/site#1072