If there is a protected branch rule preventing users from pushing to branches matching * then trigger jobs don't work for tags.
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Encountered with one of our self hosted GitLab Enterprise projects. If you configure your repo to have a wildcard branch protection rule as a catch-all for branches that don't match an established naming convention, and that branch protection rule is set so that "No One" can push (because you want to force people to follow the naming convention), then build pipelines that run for tags, fail to start child pipelines for jobs that trigger a downstream pipeline (with the error "no permission to trigger downstream pipeline").
Steps to reproduce
- Create a "downstream" project with a simple job definition like this one
- Create an "upstream" project with a
.gitlab-cy.ymlthat has a job that usestriggerand references the "downstream" project withinclude(so the permissions beyond "read" on the downstream projects should be irrelevant). See example - Configure the "upstream" project to have a protected branch rule that allows "No One" to push to branches matching
*(note: for this to make sense you should have other branch protection rules that do allow users to push). - Create a tag
Example Project
https://gitlab.com/sflanker/pipeline-trigger-bug-downstream https://gitlab.com/sflanker/pipeline-trigger-bug-upstream
What is the current bug behavior?
The job in the upstream project fails to start for any Pipeline that is running for a tag with the error "no permission to trigger downstream pipeline"
What is the expected correct behavior?
The job should run, because the pipeline is running for a tag not a branch, and the user in this case has permission to create a tag.
Relevant logs and/or screenshots
Example "Protected branches" configuration:
Output of checks
This bug happens on GitLab.com