Inconsistent behavior with CI_JOB_TOKEN

Summary

We have two repositories, one is a mirror of the other:

• https://gitlab.com/gitlab-org/build/CNG

• https://gitlab.com/gitlab-org/build/CNG-mirror

Using "JOB-TOKEN: $CI_JOB_TOKEN" for a curl command to download artifacts from separate repostiories works in CNG, but results in a 404 Project not found for CNG-mirror

The artifacts are public, and removing the JOB-TOKEN header does work around the issue.

Steps to reproduce

Add a job that uses the following curl command:

curl -sL --header 'JOB-TOKEN: $CI_JOB_TOKEN' "https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab-ce/jobs/artifacts/master/download?job=gitlab:assets:compile"

Note: This also happens for gitlab-ee

Example Project

We ran with some debugging information:

• Good: https://gitlab.com/gitlab-org/build/CNG/-/jobs/99306309

• Bad: https://gitlab.com/gitlab-org/build/CNG-mirror/-/jobs/99306336

What is the current bug behavior?

curl receives a 404

What is the expected correct behavior?

curl recieves a 302

Relevant logs and/or screenshots

• Good: https://gitlab.com/gitlab-org/build/CNG/-/jobs/99306309

• Bad: https://gitlab.com/gitlab-org/build/CNG-mirror/-/jobs/99306336

Output of checks

This bug happens on GitLab.com

Possible fixes