Skip to content

Improve error messaging for CI_JOB_TOKEN, git repository

Dmytro Biryukov requested to merge dbiryukov_improve_error_msg_ci_job_token_git_repo_mr-439655 into master

Original issue: #439655 (closed)

What does this MR do and why?

The goal of this MR is to improve error messaging when CI_JOB_TOKEN is used to access the git repository.

Instead of presenting abstract error message: The project you were looking for could not be found or you don't have permission to view it.

In case when we get rejected because of CI_JOB_TOKEN permission we will expose the following error: Authentication by CI/CD job token not allowed from %{source_project_path} to %{target_project_path}.

A new error message covers all known requests via CI_JOB_TOKEN to git repository:

  1. git clone
  2. git pull
  3. git fetch

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

Define various of jobs in .gitlab-ci.yml

Configure two projects:

  1. git_clone_source_project
  2. test_ci_job_token_git_clone

Create a .gitlab-ci.yml file on test_ci_job_token_git_clone with following instructions on the top

stages:
  - git
  - repo_api
  - deployment_api
  - environment_api

variables:
  SOURCE_PROJECT: "dmitry/test_ci_job_token_errors/git_clone_source_project.git"
  SOURCE_PROJECT_ID: "98"
  CURRENT_PROJECT_ID: "97"

clone_repo:
  stage: git
  needs: []
  script:
    - git clone $CI_REPOSITORY_URL
    - cd $CI_PROJECT_NAME
    - git checkout $CI_COMMIT_SHA
  artifacts:
    paths:
      - $CI_PROJECT_NAME
    expire_in: 1 hour

clone_source:
  stage: git
  needs: []
  script:
    - 'git clone http://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}:3000/${SOURCE_PROJECT} source_project'
    - cd source_project
    - git checkout $CI_COMMIT_REF_NAME || git checkout main  # Fallback to main if branch doesn't exist
  artifacts:
    paths:
      - source_project
    expire_in: 1 hour

fetch_source:
  stage: git
  needs: []
  script:
    - mkdir source_project
    - cd source_project
    - git init
    - 'git remote add origin http://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}:3000/${SOURCE_PROJECT}'
    - git fetch origin
    - git checkout $CI_COMMIT_REF_NAME || git checkout main  

pull_source:
  stage: git
  needs: []
  script:
    - mkdir -p source_project
    - cd source_project
    - git init
    - 'git remote add origin http://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}:3000/${SOURCE_PROJECT}'
    - git pull origin $CI_COMMIT_REF_NAME || git pull origin main  # Pull the specified branch or fallback to main
  artifacts:
    paths:
      - source_project
    expire_in: 1 hour
  1. Test error message when test_ci_job_token_git_clone is not added to the allow list on git_clone_source_project
Edited by Dmytro Biryukov

Merge request reports