Enable CI_JOB_TOKEN as accepted header to log into access-controlled GitLab Page

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

GitLab Pages Access Control now accepts CI_JOB_TOKEN in curl --header "PRIVATE-TOKEN: …" requests. This simplifies workflows, in which a .gitlab-ci.yml script for example downloads a file from an access-controlled GitLab Page. Previously, a dedicated Project or Personal Access Token was required, which added management overhead.

Problem to solve

Customers who try to:

  1. curl or wget a file from a GitLab Page that has Access Control enabled,
  2. within a .gitlab-ci.yml script,

currently receive the response <a href="https://projects.gitlab.io/auth?domain=https://…namespace….gitlab.io&amp;state=…base64…">Found</a>.

Proposal

Enable CI_JOB_TOKEN as an accepted login credential header.

Inspired by an internal GitLab Premium customer request: ZD 273770, and a continuation of a thread in gitlab#15156.

Alternatives (and what speaks against those)

  1. Keeping the pages public
    • But: Access Control is often required for confidentiality considerations.
  2. Instead of curling a file, registering it as an artifact or cache and injecting it into the job that way
    • But: Requires more artifacts storage space.
    • And: Subjects the file to expiry configuration, which may not be desirable in all cases.
  3. Personal or Project Access Tokens
    • But: Would require too much setup (custom scripting) if many similar projects require similar CI job behaviour
    • And: Risks getting leaked into job logs via unprotected branches.
  4. 3rd-party storage (FTP).
    • But: Would require a custom access control logic as well.
  5. Using the repo files API, if that would accept CI_JOB_TOKEN

Intended users

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖