Draft: Allow different push credentials for auto-build
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
Currently the $CI_JOB_TOKEN only allows read access to other project container registries.
Docker build + any FROM
statements work just fine with this. woo!
The issue comes when trying to push a container to another project using the job token.
Why not use a deploy token or PAT?
If the namespace/group of the projects we need to pull images from are not the same as where we need to push then I either need a PAT (not ideal) or a deploy token doesn't work.
e.g.
/groupA/project_i_pull_from_A
/groupA/project_i_pull_from_B
/groupA/project_i_pull_from_C
/groupB/central_container_registry_project_i_need_to_push_to
This issue stems from the way Gitlab handles auto to the registry:
pull:
def build_can_pull?(requested_project)
# Build can:
# 1. pull from its own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
has_authentication_ability?(:build_read_container_image) &&
(requested_project == project || can_user?(:build_read_container_image, requested_project))
end
push:
def build_can_push?(requested_project)
# Build can push only to the project from which it originates
has_authentication_ability?(:build_create_container_image) &&
requested_project == project
end
This change means I can use a CI_JOB_TOKEN for pulling container image and use the "Allow Token" feature inside gitlab to grant access across projects, but also input a deploy token to then push my container somewhere else :)
Happy for thoughts, updates, discussion around this :)