Jobs fail with 403 for public projects when protocols are SSH only
Summary
When a GitLab instance is using SSH only for git protocols, projects with public visibility fail their CI/CD jobs with a 403 error.
Steps to reproduce
- Set Enabled Git access protocols to "Only SSH"
- Try to run any CI/CD job for a public project
.gitlab-ci.yml
image: "busybox:latest"
test:
script:
- echo "Hello World"
Actual behavior
When the job is run for a public project, it fails with fatal: unable to access 'https://gitlab-ci-token:[MASKED]@git.satanic.cloud/jcolyer/test-project.git/': The requested URL returned error: 403
Expected behavior
The job should run normally
Relevant logs and/or screenshots
job log while project is private
Running with gitlab-runner 12.0.0 (6946bae7)
on runner-gitlab-runner-b795b5986-rpwzq rx_zoYb3
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image busybox:latest ...
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0wdfvj to be running, status is Pending
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0wdfvj to be running, status is Pending
Running on runner-rxzoyb3-project-68-concurrent-0wdfvj via runner-gitlab-runner-b795b5986-rpwzq...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/jcolyer/test-project/.git/
Created fresh repository.
From https://git.satanic.cloud/jcolyer/test-project
* [new branch] master -> origin/master
Checking out 604cc7c0 as master...
Skipping Git submodules setup
$ echo "Hello World"
Hello World
Job succeeded
job log while project is public
Running with gitlab-runner 12.0.0 (6946bae7)
on runner-gitlab-runner-b795b5986-rpwzq rx_zoYb3
Using Kubernetes namespace: gitlab-managed-apps
Using Kubernetes executor with image busybox:latest ...
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0mdz2b to be running, status is Pending
Waiting for pod gitlab-managed-apps/runner-rxzoyb3-project-68-concurrent-0mdz2b to be running, status is Pending
Running on runner-rxzoyb3-project-68-concurrent-0mdz2b via runner-gitlab-runner-b795b5986-rpwzq...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/jcolyer/test-project/.git/
Created fresh repository.
remote: Git access over HTTP is not allowed
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@git.satanic.cloud/jcolyer/test-project.git/': The requested URL returned error: 403
ERROR: Job failed: command terminated with exit code 1
Environment description
GitLab instance env info
root@git:~# gitlab-rake gitlab:env:info
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.21.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.1.3-ee
Revision: a05c811e614
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.7
URL: https://git.satanic.cloud
HTTP Clone URL: https://git.satanic.cloud/some-group/some-project.git
SSH Clone URL: git@git.satanic.cloud:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
- alternate: /mnt/gitlab/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Docker version
root@docker:~# docker --version
Docker version 18.09.7, build 2d0083d
config.toml contents
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "My Docker Runner"
url = "https://gitlab.com/"
token = "GKfpqks4TewrDsTKEuhB"
executor = "docker"
[runners.custom_build_dir]
[runners.docker]
tls_verify = false
image = "docker:stable"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.custom]
run_exec = ""
[[runners]]
name = "docker"
url = "http://gitlab.jcolyer.com"
token = "[REDACTED]"
executor = "docker"
[runners.custom_build_dir]
[runners.docker]
tls_verify = false
image = "ruby:2.6"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.custom]
run_exec = ""
[[runners]]
name = "docker-runner"
url = "https://git.satanic.cloud"
token = "[REDACTED]"
executor = "docker"
[runners.custom_build_dir]
[runners.docker]
tls_verify = false
image = "ruby:2.6"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.custom]
run_exec = ""
Used GitLab Runner version
GitLab runner version
root@docker:~# gitlab-runner --version
Version: 12.1.0
Git revision: de7731dd
Git branch: 12-1-stable
GO version: go1.8.7
Built: 2019-07-19T13:53:04+0000
OS/Arch: linux/amd64