Unable to use group/project token to download a release asset, but personal token works.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

The Project Release API currently only supports Personal Access Tokens for downloading release assets, but should also support Project Access Tokens, Group Access Tokens, and Deploy Tokens to enable better automation and security practices.

Problem Statement

Currently, downloading release assets via the Project Release API requires Personal Access Tokens (PATs), which creates several limitations:

  1. Security concerns: PATs are tied to individual users and may have broader permissions than necessary
  2. Automation challenges: CI/CD pipelines requiring cross-project asset downloads must use PATs, creating maintenance overhead
  3. Token management: Organizations cannot use more restrictive token types for automated workflows

Current Behavior

  • Personal Access Tokens work for release asset downloads
  • Project Access Tokens return 302 redirect to login page
  • Group Access Tokens return 302 redirect to login page
  • Deploy Tokens are not supported

Expected Behavior

The following token types should be supported for downloading release assets:

  • Project Access Tokens: For project-scoped automation
  • Group Access Tokens: For cross-project workflows within a group
  • Deploy Tokens: For read-only access to releases

Use Cases

  1. CI/CD Automation: Pipelines in one project downloading release assets from another project
  2. Deployment Scripts: Automated deployment processes using scoped tokens
  3. Security Compliance: Using least-privilege tokens instead of broad PATs

API Endpoints Affected

  • GET /projects/:id/releases/:tag_name/downloads/:filepath
  • Web-facing download URLs: /-/releases/:tag_name/downloads/:filepath

Proposed Solution

Update the authentication logic for release asset downloads to accept:

  • Project Access Tokens (with appropriate read_api or read_repository scopes)
  • Group Access Tokens (with appropriate scopes)
  • Deploy Tokens (with read_repository scope)

This would align release asset authentication with other GitLab APIs that already support these token types.

Note: This issue was originally reported as a bug but is being reframed as a feature request to add broader token support to the Release API.

Edited by 🤖 GitLab Bot 🤖