Use running job's token to download artifacts from job dependencies (!83713) · Merge requests · GitLab.org / GitLab

Albert requested to merge 223214-use-running-job-token-for-artifact-download into master Mar 28, 2022

What does this MR do and why?

Change authentication of job artifact request from runner to use the token belonging to the running job, instead of the tokens belonging to the dependency jobs.

The authentication checks if the provided token belongs to a running job created by a user who has read access to the dependency jobs.

Related to #223214

Screenshots or screen recordings

How to set up and validate locally

Enable the feature flag :ci_authenticate_running_job_token_for_artifacts
```
Feature.enable(:ci_authenticate_running_job_token_for_artifacts)
```
Create a pipeline with multiple jobs that have dependency on artifacts from previous jobs
Run a pipeline
Verify that the artifacts are passed on from one job to the next.
Additionally, verify that when the a job is retried by another developer in the project, the retried job also has access to the dependency job artifacts.

Example CI config:

stages:
    - one
    - two

test-one:
    stage: one
    script:
        - echo "Hello world" > hello.txt
    artifacts:
        paths:
            - hello.txt

test-two:
    stage: two
    script:
        - echo "Bye world" > bye.txt
    artifacts:
        paths:
            - hello.txt
            - bye.txt

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 09, 2022 by Albert

Use running job's token to download artifacts from job dependencies

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports