Enable CI_JOB_TOKEN as accepted header to log into access-controlled GitLab Page
Release notes
GitLab Pages Access Control now accepts CI_JOB_TOKEN
in curl --header "PRIVATE-TOKEN: …"
requests.
This simplifies workflows, in which a .gitlab-ci.yml
script for example downloads a file from an access-controlled GitLab Page.
Previously, a dedicated Project or Personal Access Token was required, which added management overhead.
Problem to solve
Customers who try to:
-
curl
orwget
a file from a GitLab Page that has Access Control enabled, - within a
.gitlab-ci.yml
script,
currently receive the response <a href="https://projects.gitlab.io/auth?domain=https://…namespace….gitlab.io&state=…base64…">Found</a>
.
Proposal
Enable CI_JOB_TOKEN
as an accepted login credential header.
Inspired by an internal GitLab Premium customer request: ZD 273770, and a continuation of a thread in gitlab#15156.
Alternatives (and what speaks against those)
- Keeping the pages public
- But: Access Control is often required for confidentiality considerations.
- Instead of
curl
ing a file, registering it as an artifact or cache and injecting it into the job that way- But: Requires more artifacts storage space.
- And: Subjects the file to expiry configuration, which may not be desirable in all cases.
- Personal or Project Access Tokens
- But: Would require too much setup (custom scripting) if many similar projects require similar CI job behaviour
- And: Risks getting leaked into job logs via unprotected branches.
- 3rd-party storage (FTP).
- But: Would require a custom access control logic as well.
- Using the repo files API, if that would accept
CI_JOB_TOKEN
Intended users
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.