Documentation unclear that a CI_JOB_TOKEN cannot access generic packages from *another* project's package registry
Problem to solve
The documentation for package registries and CI_JOB_TOKEN
(implicitly) suggests that a CI has access to (generic) packages, i.e. not limited to URLs pointing to CI_PROJECT_ID
. In practise it appears to be the case that access to other projects using the CI_JOB_TOKEN
fail, with a 404
at that (instead of the expected 401
).
If this behaviour is by design (for security reasons), and e.g. deployment tokens would be more appropriate to use for such access, make the documentation more clear in this respect (and mention deployment tokens in the context as well).