Bot users don't have access to internal projects
Summary
A pipeline created with an project access token fails when including a .gitlab-ci.yml
template from an internal project.
Steps to reproduce
- Create a project with 'internal' visibility and create a file
.gitlab-ci.template.yml
to reference as a template. - Create another project. In this second project:
-
Create a
.gitlab-ci.yml
which includes the template from the first project similar to this:include: - project: 'path/to/the/internal/project' file: '/.gitlab-ci.template.yml'
-
Create a project access token with
api
andwrite_repository
permissions.
-
- Trigger a pipeline by pushing a commit using the access token.
- Also trigger a pipeline as a "regular" user to see it not fail.
What is the current bug behavior?
The pipeline triggered by the bot user fails with
Found errors in your .gitlab-ci.yml:
- Project
path/to/the/internal/project
not found or access denied! Make sure any includes in the pipeline configuration are correctly defined.
What is the expected correct behavior?
The pipeline is started just like as it would be by a logged in user. Note many reports were not reproducible due to incorrect identification of private vs internal projects however #361993 (comment 1674185875) may be helpful in reproduction.