Fix downstream pipeline trigger permissions for Duo UI job
Problem
The duo_job in GitLab UI's CI pipeline fails for contributors who don't have Developer permissions on the Duo UI project. The error message is:
"No permission to trigger downstream pipeline"
This happens because the job tries to trigger a downstream pipeline on gitlab-org/duo-ui using the contributor's permissions, but most contributors only have access to GitLab UI and lack the required Developer role on Duo UI (minimum permission needed to trigger pipelines).
Current Behavior
- The
duo_jobruns for all merge requests - It fails for any contributor who doesn't have Developer+ access to Duo UI
- This blocks or creates noise in MR pipelines
Example MR:
Permission Requirements
To trigger downstream pipelines in GitLab, the minimum required permission is:
- Developer role on the target project (Duo UI)
Proposed Solution
Use a pipeline trigger token or project access token to authenticate the downstream pipeline trigger, rather than relying on the contributor's permissions.
Option 1: Pipeline Trigger Token (Recommended)
- Create a pipeline trigger token in Duo UI project (Settings → CI/CD → Pipeline triggers)
- Add it as a CI/CD variable
DUO_UI_PIPELINE_TRIGGER_TOKENin GitLab UI project - Update the
duo_jobto use curl with the trigger token:
duo_job:
stage: deploy
needs:
- build_package
script:
- |
curl --request POST \
--form token=$DUO_UI_PIPELINE_TRIGGER_TOKEN \
--form ref=main \
--form "variables[UPSTREAM_GITLAB_UI_VERSION]=$DEPENDENCY_URL" \
--form "variables[UPSTREAM_BRANCH_NAME]=$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" \
"https://gitlab.com/api/v4/projects/62039593/trigger/pipeline"
rules:
- if: '$CI_MERGE_REQUEST_LABELS =~ /duo-ui-allowed-to-fail/'
when: always
allow_failure: true
- if: '$CI_MERGE_REQUEST_IID'
when: always
allow_failure: false