Pipeline by External PR from GitHub Mirror on 12.3 has no user permissions to use include:
Summary
After Pipelines for External Pull Requests was released in 12.3 https://gitlab.com/gitlab-org/gitlab-ce/issues/65139
We had pipelines triggered by GitHub PR webhooks from the Mirror webhook.
When they are triggered, the Triggerer is listed as API
.
The Pipeline fails because we have a gitlab-ci.yml
include:
to a private project in that same group and it seems this pipeline has no permissions other than access to the current project thus even include:
fails.
The error given from the Pipeline is
Found errors in your .gitlab-ci.yml:
Project `adasupport/k8s` not found or access denied!
You can also test your .gitlab-ci.yml in CI Lint
Steps to reproduce
- Use example
.gitlab-ci.yml
in a GitHub Project
stages:
- test
on-pull-requests:
stage: test
script: echo 'this should run on pull requests'
only:
- external_pull_requests
include:
- project: "samegroup/project_you_can_have_access"
ref: master
file: some_yaml_on_remote_project.yaml
-
Sync GitHub Project to Gitlab using a Mirror Pull
-
Open a new PR with this branch on GitHub
-
A pipeline should be triggered on the GitLab.com Project with the Triggerer of
API
.
- Pipeline fails due to YAML error noted in summary above.
Example Project
Here is the failure on a test project I made: https://gitlab.com/kzap/gitlab-external-pr-bug/pipelines/84552287
This is the GitHub Pull Request that I opened and which triggered the Pipeline: https://github.com/kzap/gitlab-external-pr-bug/pull/1
What is the current bug behavior?
Pipelines do not run on External PR Open/ReOpen webhooks
What is the expected correct behavior?
Pipeline has permissions of GitLab User who created Mirror, the same way Pipelines that are triggered by push
webhooks from GitHub are run.
/cc @fabiopitino