Stop passing in job-token to `PRIVATE-TOKEN` header
Background
It was discovered in gitlab!183764 (merged), that runner uses the PUT /api/v4/:jobs endpoint with the job token in two places:
- The PRIVATE-TOKEN header
- The
tokenparameter in the JSON body
Details
https://gitlab.com/gitlab-org/gitlab-runner/-/blob/18d15a068d2482b78f085eee0229350a6a6c7da9/network/gitlab.go#L683-692 is one example where we pass in the Job Token as a PAT.
https://gitlab.com/gitlab-org/gitlab-runner/-/blob/18d15a068d2482b78f085eee0229350a6a6c7da9/network/client.go#L372-396 will set the pat argument into the PRIVATE-TOKEN header.
https://gitlab.com/gitlab-org/gitlab-runner/-/blob/18d15a068d2482b78f085eee0229350a6a6c7da9/network/gitlab.go#L683-692 is where we call the PUT /api/v4/:jobs endpoint with this incorrect pat: argument.
This is intuitively in-correct behaviour, but it is long-standing. It might take a long time to update all runners to no longer do this. We should still correct this behaviour as the PRIVATE-TOKEN header does nothing.
Action Items
-
Gradually stop passing in the job token in the PRIVATE-TOKEN header, keep the tokenparameter.