Pipelines created by project access tokens fail with 'HTTP Basic: Access denied'
Summary
- I'm using GitLab Community Edition 13.4.1 with Gitlab Runner 13.4.0 because I was waiting for #219551 (closed) to be fixed.
- I want to use project access tokens for creating new branches and pushing changes on them. This results in a build pipeline that is running with the privileges of the bot user that is associated with the project access token.
- If the build job that is running with the privileges of the bot user is assigned to a runner / executor where no previous copy of the repository exists (i.e. from prior build jobs for the same project), then the job is able to fetch / clone the source code of the repository (due to the fix in #219551 (closed)).
- However, if the build job is coincidentally assigned to a runner / executor where a previous copy of the repository exists, then the job is failing with the following error message:
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/klaas.dellschaft/project-access-tokens/.git/
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://git.example.com/klaas.dellschaft/project-access-tokens.git/'
Steps to reproduce
- Create an empty project
- In that project, create a project access token with the following scope:
api
,write_repository
,read_registry
,write_registry
- Put that project access token into the CI/CD variables under the variable name
PROJECT_ACCESS_TOKEN
- Add the attached .gitlab-ci.yml to that project
- After adding the pipeline file, please manually trigger the job
create-branch-with-project-access-token
. This job will use the Gitlab API to create a new branch, usingPROJECT_ACCESS_TOKEN
from the CI/CD variables. This will create a pipeline for the new branch, using the credentials of the bot user that is associated with the project access token. - In the pipeline for the new branch, the job
hello-world
should automatically run. If this job is running on the same runner / executor as the jobs from the previous pipeline, then it fails with the above mentioned error message.
Example Project
Not possible to demonstrate on Gitlab.com because project access tokens are not available there.
What is the current bug behavior?
After creating a new branch using a project access token, a new pipeline is created that is using the credentials of the bot user that is associated with the project access token. In this pipeline, jobs will fail with HTTP Basic: Access denied
during fetching the source code if they are getting assigned to the same runner / executor as jobs from a previous pipeline (which checked out the same repository).
What is the expected correct behavior?
Jobs running with the privileges of a project access token bot user should be able to fetch updates for an already existing Git repository on the runner / executor.
Relevant logs and/or screenshots
Running with gitlab-runner 13.4.0 (xxx)
on runner-spawner xxx
Preparing the "docker+machine" executor
00:10
Using Docker executor with image docker:git ...
Pulling docker image docker:git ...
Using docker image sha256:a0025a0c916a31f6be729dda21ba2f4721b22ad603b15ec7cc9c1ae274e8e92a for alpine:latest with digest alpine@sha256:33803459febff4aea93f666e8f3431c008f44ed0008a1c9aa1be8ef4b3ad6f21 ...
Preparing environment
00:02
Running on runner-xxx-project-111-concurrent-0 via runner-xxx-gitlab-runner-machine-1601546011-7e230fee...
Getting source from Git repository
00:01
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/klaas.dellschaft/project-access-tokens/.git/
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://git.example.com/klaas.dellschaft/project-access-tokens.git/'
ERROR: Job failed: exit code 1
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)