Backend: No permissions to trigger downstream pipeline error
Summary
In pipeline https://ops.gitlab.net/gitlab-org/release/tools/-/pipelines/937987, bridge job deploy:gprd-cny (which triggers a downstream pipeline in https://ops.gitlab.net/gitlab-com/gl-infra/deployer) failed with the following error: No permissions to trigger downstream pipeline.
An interesting thing is that the pipeline bridge list API shows the user for the deploy:gprd-cny bridge job to be @nwestbury for some reason. @nwestbury has reporter access to the https://ops.gitlab.net/gitlab-com/gl-infra/deployer project, so cannot create pipeline on default branch of https://ops.gitlab.net/gitlab-com/gl-infra/deployer, which is the cause of this error according to #299433 (comment 563049682). All the other bridge jobs that successfully triggered downstream pipelines have the gitlab-release-tools-bot as the user. Bridge jobs that were skipped show @hphilipps (Release Manager at the time who has push access to master) as the user.
Pipeline bridge list API response: bridge_jobs_list1.json
Steps to reproduce (carried over from related #326941 (closed))
- Create a project in groupA with the downstream pipeline
- Create a project in groupB with the source pipeline which triggers the project in groupA
- Test users with different combinations of access: so far I've tried unsuccessfully granting this user Maintainer on the downstream repo or groupA.
This seems to be a transient bug, so I'm not sure how to reproduce it.
Example Project
What is the current bug behavior?
Bridge job deploy:gprd-cny failed to start with error No permissions to trigger downstream pipeline.
What is the expected correct behavior?
Bridge pipeline should have been started by the gitlab-release-tools-bot user.
Relevant logs and/or screenshots
Output of checks
This bug happens on ops.gitlab.net
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)