GITLAB_USER_LOGIN getting wrong value randomly

Summary

Hello,

I have an issue on a job getting wrong user, when "playing" a job with a service account, GITLAB_USER_LOGIN contains the value of pipeline initiator instead of service account.

Complete workflow:

  • User A create a feature branch
  • User A create a merge request
  • User B approve the MR
  • User A merge
  • a pipeline run on master : syntax, build, test, release
  • release step create a gitlab release using CI_JOB_TOKEN https://docs.gitlab.com/ee/api/releases/#create-a-release
  • a pipeline start on the tag release
  • this pipeline contains “deployment” jobs and “our change process”
  • sandbox is automatically executed
  • User A manually deploy on preprod
  • User C approve playing “approve:tech” via WebUI manual job (or Technical Validation in the schema) => GITLAB_USER_LOGIN had User C login, never seen a wrong value
  • User A open an internal tool to feed the change. We created a formula for calulating the risk. If not risky the tool play the job using an account service, otherwise the tool wait a validation via a Slack quorum, when reached, we play the same job with the same account
  • The job played in both cases by the tool / bot is “approve:auto” via API => this is the job not getting the right value, sometimes GITLAB_USER_LOGIN had the account service login sometimes User A value, but it must be account service (according to the doc)

pipeline

Steps to reproduce

As premium customer we try to reproduce with no luck the issue with @jfarmiloe (ZD link, internal only)

Results of GitLab environment info

We see this issue on Gitlab 12.10 and our current 13.11.4

Possible fixes

Unfortunately, As this issue impact our production, I changed the way the pipeline work to avoid this issue so I can't make extra tests.

As a workaround, I’m using the ci job token to identify himself and retrieve rights data via !51727 (merged)

PS: we never override the environment variables, and the approval:auto job was never played by another user.