I'm in the process of migrating our internal GitLab-CE to GitLab-EE. When checking that CI pipelines work correctly, I noticed that the ones that clone repositories using CI_JOB_TOKEN did not work. After some debugging I managed track down the error to the actually git clone command. The command does not work if the access token is part of the clone URL. To test my hypothesis, I created a personal access token and tried to clone a repository using command
git clone https:\\myusername:[email protected]/myusername/project1.git
. The command fails with Authentication error (403 from gitlab nginx).
when I run the same command in interactive mode: git clone https:\\[email protected]/myusername/project1.git
and use my access token as password when I'm prompted the command works fine.
Any idea what the problem is. Is there some configuration setting that disallows the use of passwords/tokens as part of the URL.
P.S. Our server is using self-signed certificate at the moment, but I don't think that's the problem since the second command works fine.
CodePudding user response:
After some testing and googling I managed to find a workaround. Using a shell script in combination with environmental variable, the pipeline now works with following steps (.gitlab-ci.yml):
script:
- echo 'echo $CI_JOB_TOKEN' > ~./.git-askpass
- chmod x ~./.git-askpass
- export GIT_ASKPASS=~./.git-askpass
- git clone https:\\[email protected]/myusername/project1.git
Now when git clone command prompts for password for user gitlab-ci-token, the script is executed and output is used as password/token.
It is interesting why I couldn't get this to work without this workaround considering the official documentation uses the token as part of the url (https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#gitlab-cicd-job-token), and since it was working on the older gitlab installation (old was 13.7.3 CE and new is 14.7.0 EE).