Use running job's token to download artifacts from job dependencies
What does this MR do and why?
Change authentication of job artifact request from runner to use the token belonging to the running job, instead of the tokens belonging to the dependency jobs.
The authentication checks if the provided token belongs to a running job created by a user who has read access to the dependency jobs.
Related to #223214
Screenshots or screen recordings
How to set up and validate locally
- Enable the feature flag
:ci_authenticate_running_job_token_for_artifacts
Feature.enable(:ci_authenticate_running_job_token_for_artifacts)
- Create a pipeline with multiple jobs that have dependency on artifacts from previous jobs
- Run a pipeline
- Verify that the artifacts are passed on from one job to the next.
- Additionally, verify that when the a job is retried by another developer in the project, the retried job also has access to the dependency job artifacts.
Example CI config:
stages:
- one
- two
test-one:
stage: one
script:
- echo "Hello world" > hello.txt
artifacts:
paths:
- hello.txt
test-two:
stage: two
script:
- echo "Bye world" > bye.txt
artifacts:
paths:
- hello.txt
- bye.txt
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Albert