GITLAB_USER_LOGIN getting wrong value randomly
Summary
Hello,
I have an issue on a job getting wrong user, when "playing" a job with a service account, GITLAB_USER_LOGIN contains the value of pipeline initiator instead of service account.
Complete workflow:
- User A create a feature branch
- User A create a merge request
- User B approve the MR
- User A merge
- a pipeline run on master : syntax, build, test, release
- release step create a gitlab release using CI_JOB_TOKEN https://docs.gitlab.com/ee/api/releases/#create-a-release
- a pipeline start on the tag release
- this pipeline contains “deployment” jobs and “our change process”
- sandbox is automatically executed
- User A manually deploy on preprod
- User C approve playing “approve:tech” via WebUI manual job (or Technical Validation in the schema) => GITLAB_USER_LOGIN had User C login, never seen a wrong value
- User A open an internal tool to feed the change. We created a formula for calulating the risk. If not risky the tool play the job using an account service, otherwise the tool wait a validation via a Slack quorum, when reached, we play the same job with the same account
- The job played in both cases by the tool / bot is “approve:auto” via API => this is the job not getting the right value, sometimes GITLAB_USER_LOGIN had the account service login sometimes User A value, but it must be account service (according to the doc)
Steps to reproduce
As premium customer we try to reproduce with no luck the issue with @jfarmiloe (ZD link, internal only)
Results of GitLab environment info
We see this issue on Gitlab 12.10 and our current 13.11.4
Possible fixes
Unfortunately, As this issue impact our production, I changed the way the pipeline work to avoid this issue so I can't make extra tests.
As a workaround, I’m using the ci job token to identify himself and retrieve rights data via !51727 (merged)
PS: we never override the environment variables, and the approval:auto job was never played by another user.