Force authenticated calls to Gitaly on public projects
What does this MR do?
Adds a new feature flag FF_USE_GIT_PROACTIVE_AUTH (disabled by default) that passes -c http.proactiveAuth=basic to git clone and git fetch commands. This forces Git to send credentials proactively instead of waiting for a 401 response.
The flag is passed directly to the git commands rather than set in the git config file, so it only affects the runner's clone/fetch operations and not any git operations users run in their CI scripts.
Why was this MR needed?
When Git makes an HTTP request to a public project, it first tries an unauthenticated request. Only after receiving a 401 response does it fill in credentials and retry. This means for public projects, the username is never sent to Gitaly because no 401 is returned.
This causes issues with Gitaly's unauthenticated concurrency limiter, which was causing pipeline job failures for public projects like gitlab-org/gitlab.
Setting http.proactiveAuth=basic forces Git to include credentials on the first request, ensuring the username is always propagated to Gitaly regardless of project visibility.
What's the best way to test this MR?
- Set
FF_USE_GIT_PROACTIVE_AUTH=truein your CI job - Run a CI job on a public project
- Verify that the username metadata is propagated to Gitaly (check Gitaly logs)
What are the relevant issue numbers?
Closes gitlab#591004