Skip to content

Jobs fail with 403 for public projects when protocols are SSH only

Summary

When a GitLab instance is using SSH only for git protocols, projects with public visibility fail their CI/CD jobs with a 403 error.

Steps to reproduce

  1. Set Enabled Git access protocols to "Only SSH"
  2. Try to run any CI/CD job for a public project
.gitlab-ci.yml 
image: "busybox:latest"

test:
  script:
    - echo "Hello World"

Actual behavior

When the job is run for a public project, it fails with fatal: unable to access 'https://gitlab-ci-token:[MASKED]@git.satanic.cloud/jcolyer/test-project.git/': The requested URL returned error: 403

Expected behavior

The job should run normally

Relevant logs and/or screenshots

job log while project is private 
Running with gitlab-runner 12.0.0 (6946bae7)
  on runner-gitlab-runner-b795b5986-rpwzq rx_zoYb3
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image busybox:latest ...
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0wdfvj to be running, status is Pending
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0wdfvj to be running, status is Pending
Running on runner-rxzoyb3-project-68-concurrent-0wdfvj via runner-gitlab-runner-b795b5986-rpwzq...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/jcolyer/test-project/.git/
Created fresh repository.
From https://git.satanic.cloud/jcolyer/test-project
 * [new branch]      master     -> origin/master
Checking out 604cc7c0 as master...

Skipping Git submodules setup
$ echo "Hello World"
Hello World
Job succeeded
job log while project is public 
Running with gitlab-runner 12.0.0 (6946bae7)
  on runner-gitlab-runner-b795b5986-rpwzq rx_zoYb3
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image busybox:latest ...
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0mdz2b to be running, status is Pending
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0mdz2b to be running, status is Pending
Running on runner-rxzoyb3-project-68-concurrent-0mdz2b via runner-gitlab-runner-b795b5986-rpwzq...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/jcolyer/test-project/.git/
Created fresh repository.
remote: Git access over HTTP is not allowed
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@git.satanic.cloud/jcolyer/test-project.git/': The requested URL returned error: 403
ERROR: Job failed: command terminated with exit code 1

Environment description

GitLab instance env info 
root@git:~# gitlab-rake gitlab:env:info

System information
System:		Ubuntu 18.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.6.3p62
Gem Version:	2.7.9
Bundler Version:1.17.3
Rake Version:	12.3.2
Redis Version:	3.2.12
Git Version:	2.21.0
Sidekiq Version:5.2.7
Go Version:	unknown

GitLab information
Version:	12.1.3-ee
Revision:	a05c811e614
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	10.7
URL:		https://git.satanic.cloud
HTTP Clone URL:	https://git.satanic.cloud/some-group/some-project.git
SSH Clone URL:	git@git.satanic.cloud:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers:

GitLab Shell
Version:	9.3.0
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
- alternate: 	/mnt/gitlab/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git
Docker version 
root@docker:~# docker --version
Docker version 18.09.7, build 2d0083d
config.toml contents 
concurrent = 1
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "My Docker Runner"
  url = "https://gitlab.com/"
  token = "GKfpqks4TewrDsTKEuhB"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "docker:stable"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
  [runners.custom]
    run_exec = ""

[[runners]]
  name = "docker"
  url = "http://gitlab.jcolyer.com"
  token = "[REDACTED]"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "ruby:2.6"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
  [runners.custom]
    run_exec = ""

[[runners]]
  name = "docker-runner"
  url = "https://git.satanic.cloud"
  token = "[REDACTED]"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "ruby:2.6"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
  [runners.custom]
    run_exec = ""

Used GitLab Runner version

GitLab runner version 
root@docker:~# gitlab-runner --version
Version:      12.1.0
Git revision: de7731dd
Git branch:   12-1-stable
GO version:   go1.8.7
Built:        2019-07-19T13:53:04+0000
OS/Arch:      linux/amd64