CI job tokens can't register composer packages
🔥 Problem
The composer package registry has basically two operations:
- Registering a branch as a package (similar to "publishing" a package). This is a custom
$ curl
command. - Pulling a package. (Can be done at multiple levels). This is
$ composer
commands.
Add ci job token support to the Composer packag... (!127300 - merged) changed things on how to authenticate with ci job tokens, so that $ composer
commands can be used to configure the CI job token as credentials.
The issue is that the change impacted (1.). As a side effect, the ci job token authentication for (1.) has changed from custom http headers to basic auth.
This is clearly a breaking change.
🚒 Solution
Revert changes on the endpoint for (1.).
🔮 Possible workaround
Since the authentication changed to basic auth, we can use basic auth to interact with (1.).
From:
'curl --header "Job-Token: $CI_JOB_TOKEN" --data tag=<tag> "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'
to:
'curl -u "gitlab-ci-token:$CI_JOB_TOKEN" "Job-Token: $CI_JOB_TOKEN" --data tag=<tag> "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'
🔧 A different and more stable workaround
Another workaround was found (credits to @frank.fleige.grz): switch to a deploy token. Deploy tokens still work with custom headers and will still work once the revert MR lands on gitlab.com. See https://docs.gitlab.com/ee/user/packages/composer_repository/#publish-a-composer-package-by-using-the-api section To publish the package with a deploy token:
.