Explicitly document all operations/systems `CI_JOB_TOKEN` can and cannot be used for
Problem to solve
- What product or feature(s) affected?
- API
- CI/CD
- Security
- What docs or doc section affected? Include links or paths.
- https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html
- Many other doc pages that independently reference
CI_JOB_TOKENusage
- Is there a problem with a specific document, or a feature/process that's not addressed sufficiently in docs?
- There is no unified doc that lists out all places where
CI_JOB_TOKENcan and cannot be used for authentication. - Moreover, existing documentation tends to imply
CI_JOB_TOKENcan be used as a universal replacement for virtually any kind of request to various parts of the system, but this is not actually the case.
- There is no unified doc that lists out all places where
Further details
- API endpoints inconsistently accept a
CI_JOB_TOKEN- Downloading CI artifacts work
- Creating MRs appears to require a
PERSONAL_ACCESS_TOKEN
- Container registry works
- Package registry works
-
git clone/pulloperations work -
git pushoperations do not work? - ...?
Proposal
I think CI_JOB_TOKEN should in fact be a valid auth mechanism in all cases, but the first step to achieving that will be compiling and understanding current limitations.
tl;dr: there should be a table on the "New CI job permissions model" page that lists:
| System | CI_JOB_TOKEN |
PERSONAL_ACCESS_TOKEN |
|---|---|---|
| Artifact API | ||
| Example | ||
| Example |
Edited by Marshall Cottrell