gitlab-runner v18.0.0 breaks submodule authentication in CI

Summary

gitlab-runner breaks submodule checkout in v18.0.0

Steps to reproduce

  • main repository with submodules, in same gitlab instance, but different groups
  • submodules are configured to (Settings/CI/CD/Job token permissions/Authorized groups and projects set to All groups and projects)
  • submodules are registered in main repository with the relative path
.gitlab-ci.yml 
variables:
  GIT_STRATEGY: clone

Actual behavior

  • The same CI (on same commit) in the main repository was passing until the (automatic) update of the gitlab-runner to v18.0.0
  • Now all the submodules checkout fails in CI (see log right below).
Submodule 'vrf/uvm/shared/pin_uvc' (https://<instance>/chips/vip/pin_uvc.git) registered for path 'vrf/uvm/shared/pin_uvc'
[...]
Cloning into '<main_repo>/vrf/uvm/shared/pin_uvc'...
fatal: could not read Username for 'https://<instace>': No such device or address
fatal: clone of 'https://<instance>/chips/vip/pin_uvc.git' into submodule path '<main_repo>/vrf/uvm/shared/pin_uvc' failed
Failed to clone 'vrf/uvm/shared/pin_uvc'. Retry scheduled

The main difference between the two seems to be in the authentication method used

Expected behavior

Before gitlab-runner to v18.0.0

Submodule 'vrf/uvm/shared/pin_uvc' (https://gitlab-ci-token:[MASKED]@<instance>/chips/vip/pin_uvc.git) registered for path 'vrf/uvm/shared/pin_uvc'
[...]
Cloning into '<main_repo>/vrf/uvm/shared/pin_uvc'...
[...]
Submodule path 'vrf/uvm/shared/pin_uvc': checked out 'c61fc510d24d6fad3bab22ee26af8b27ce1046e1'

Environment description

  • gitlab-runner at v18.0.0 with shell executorand authenticated withauthentication tokens(i.e. notregistration token`)
  • GitLab (self-hosted v17.10.6-ee)
config.toml contents 
concurrent = 4
check_interval = 0
connection_max_age = "15m0s"
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "<machine>-high-mem"
  limit = 2
  url = "https://<instance>"
  id = 35637
  token = "glrt-<redacted>"
  token_obtained_at = 2024-12-04T22:26:48Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "shell"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]

[[runners]]
  name = "<machine>-short-jobs"
  limit = 2
  url = "https://<instance>"
  id = 35638
  token = "glrt-<redacted>"
  token_obtained_at = 2024-12-05T08:40:10Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "shell"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]

Used GitLab Runner version

$ gitlab-runner --version
Version:      18.0.0
Git revision: d7f2cea7
Git branch:   18-0-stable
GO version:   go1.23.6 X:cacheprog
Built:        2025-05-15T17:20:54Z
OS/Arch:      linux/amd64

Possible fixes

Investigate why the gitlab-runner is no longer using the path to the submodule including the token

+https://gitlab-ci-token:[MASKED]@<instance>/chips/vip/pin_uvc.git
-https://<instance>/chips/vip/pin_uvc.git