Draft: Allow CI_JOB_TOKEN to push to the same repository
EDIT: superseded by !152096 (merged)
What does this MR do and why?
Allows CI Job to commit results into repository (#389060 (closed)).
Based on the code from #389060 (comment 1265554578)
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 06bdb2c1ddce..61e6ced9022e 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -326,6 +326,7 @@ def build_authentication_abilities
[
:read_project,
:build_download_code,
+ :build_push_code,
:build_read_container_image,
:build_create_container_image,
:build_destroy_container_image
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 35b330fa0894..d33ffb145fb8 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -230,7 +230,7 @@ def check_authentication_abilities!
raise ForbiddenError, error_message(:auth_download)
end
when *PUSH_COMMANDS
- unless authentication_abilities.include?(:push_code)
+ unless authentication_abilities.include?(:push_code) || authentication_abilities.include?(:build_push_code)
raise ForbiddenError, error_message(:auth_upload)
end
end
@@ -340,7 +340,8 @@ def check_change_access!
if changes == ANY
can_push = deploy_key? ||
user_can_push? ||
- project&.any_branch_allows_collaboration?(user_access.user)
+ project&.any_branch_allows_collaboration?(user_access.user) ||
+ authentication_abilities.include?(:build_push_code) && user_can_push?
unless can_push
raise ForbiddenError, error_message(:push_code)How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Anatoli Babenia