Draft: Ensure allowed-protocols setting applies to CI_JOB_TOKEN
What does this MR do and why?
To be merged for %17.0
Ensure allowed-protocols setting applies to CI_JOB_TOKEN
There has been a carve-out in the "allowed protocols" setting, allowing
CI jobs using the CI_JOB_TOKEN to clone a project via HTTPS even when
the protocol setting is set to SSH Only . This change removes the
carve-out, and forces all project clone operations to follow the group
or instance setting.
Origin of the carve-out in CE 10.7
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/415580.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Previously when cloning a project from a group that is set to SSH Only , it did not show the expected error message. I ran into some other permission issues, so I got a different error instead. With this change it shows the expected protocol error message.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create a group called
ssh-only - In the "Group Settings" under "Permissions and Group Features" , ensure the "Enabled git access protocols" setting is set to "Only SSH"
- Create a project in the group called
only-ssh-project - Create another project outside the group, in your own namespace, called
research-project - Add a
.gitlab-ci.ymltoresearch-projectwith the following line:git clone https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab-host.local/ssh-only/only-ssh-project.git - Ensure the error message "Git Access over HTTP is not allowed" is shown in the CI job logs