## Status update 2022-07-26 (2:00 pm UTC) The root cause is an update to the github.com/urfave/cli library to v1.22.2 which was done in this [MR](https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3525/). We are working on reverting that change. We will be releasing a patched version of the runner with this library reverted to undo this regression. ## Summary <!-- Briefly summarize the bug --> Sometimes the randomly generated CI/CD job token can begin with a leading dash (e.g. `-AsdfABdagvf`). If a job token happens to be created with this leading dash and that job token is then used for downloading previous job artifacts, the download will fail with the following: ``` ERROR: Downloading artifacts from coordinator... forbidden id=JOB_ID_HERE responseStatus=403 Forbidden status=GET https://gitlab.com/api/v4/jobs/JOB_ID_HERE/artifacts: 403 Forbidden token=--id ``` It seems as if the `-` is being misinterpreted by the `artifacts-downloader` and causing the subsequent `--id` flag to be passed in as the `--token` value. This has started cropping up with the 15.2 release of the runner specifically. ## Steps to reproduce This is very hard to reproduce, as it relies on the CI/CD randomly generated job token to have this leading dash. I have been unable to reproduce this on my own, but we have at least two tickets where the jobs encountering this error do have CI_JOB_TOKEN values beginning with the `-` character. If you happen to get lucky and get a token with this value, the `.gitlab-ci.yml` below should replicate the issue. <details> <summary> .gitlab-ci.yml </summary> ```yml job: stage: test image: bash:latest script" - echo $CI_JOB_TOKEN > test.file artifacts: paths: - test.file job2: stage: deploy image: bash:latest script: - echo "" needs: - job: "job" optional: false ``` </details> ## Actual behavior The `--id` flag is passed as the token to the `artifacts-downloader` if the CI/CD job token begins with a `-`. ## Expected behavior CI/CD job tokens beginning with the `-` character are properly are passed as the token properly. ## Relevant logs and/or screenshots <!-- Paste the job logs inside of the code blocks (```) below so it would be easier to read. --> Some interesting behavior is shown when calling the `artifacts-downloader` command directly within the helper image between 15.2 and 15.1. Using 15.2's helper image `registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-7f093137` ``` bash-5.1# /usr/bin/gitlab-runner-helper artifacts-downloader --url https://gitlab.redacted.com/ --token -Abajdbajdbajbd --id 123455 WARNING: Missing build ID (--id) FATAL: Incomplete arguments ``` Using 15.1's helper image `registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-76984217` ``` bash-5.1# /usr/bin/gitlab-runner-helper artifacts-downloader --url https://gitlab.redacted.com/ --token -Abajdbajdbajbd --id 123455 ERROR: Downloading artifacts from coordinator... forbidden id=123455 responseStatus=403 Forbidden status=GET https://gitlab.redacted.com/api/v4/jobs/123455/artifacts?: 403 Forbidden token=-Abajdba FATAL: permission denied ``` ## Environment description Confirmed to be affecting Kubernetes based executors - untested on others at this time. ### Used GitLab Runner version ``` Running with gitlab-runner 15.2.0 (7f093137) ``` ## Possible fixes Add safeties for the `-` character to the `artifacts-downloader` utility.