Allow download of project via API using CI_JOB_TOKEN as authentication
Problem to solve
$CI_JOB_TOKEN
is usable to clone other dependent projects, but you cannot do the same via API to download a bare archive of the same stuff.
Further details
I have a PHP project with a build in GitLab CI. That project has an other private project as a dependency. PHP's package manager, Composer, already has the capability of using a personal access token to download (instead of clone) GitLab private projects as dependencies. This forces me to add a personal access token in my CI to use it, instead of being able to use a more secure, one-use token.
Proposal
Allow usage of $CI_JOB_TOKEN
to authenticate against (dependent) projects APIs, with read-only permissions.
What does success look like, and how can we measure that?
I should be able to use those $CI_JOB_TOKEN
as a Oauth or private token in my PHP build to download the other project as a dependency:
composer config --auth gitlab-oauth.gitlab.com $CI_JOB_TOKEN