git push using a Project Access Token throws a 'remote: HTTP Basic: Access denied' error from a TAG pipeline only

Summary

Project Access Token throws an error when used to push to the same repo (public or private) from a pipeline when the pipeline is triggered from a tag/release, but is fine when the pipeline is NOT triggered from a tag/release.

It gives the error:

remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied

Steps to reproduce

  1. Generate a Project Access Token as Owner with all permissions for testing
  2. Add the token to the CICD vars, CI_ACCESS_TOKEN (Protect, Masked, Expanded)
  3. In the gitlab-ci.yml script add the following
stages:
  - generate_push

generate_push:
  stage: generate_push
  script:
    - git config --global user.email $GITLAB_USER_EMAIL
    - git config --global user.name $GITLAB_USER_NAME
    - echo $GITLAB_USER_EMAIL $GITLAB_USER_NAME $CI_COMMIT_TAG
    - echo test > test.txt
    - git add test.txt
    - git commit -m 'added test.txt'
    - git push https://can_be_anything:$CI_ACCESS_TOKEN@gitlab.com/YOUR_USER/YOUR_PROJECT.git HEAD:main -o ci.skip
  rules:
    - if: '$CI_COMMIT_TAG' # Run only if a tag exists
  1. Create a release
  2. Pipeline for the tag fails

Strangely, this works fine if you run a regular pipeline without the rules section. Note that the GITLAB config vars remain the same throughout.

Example Project

https://gitlab.com/rimichaeru/project_access_token_push_issue

  1. (ignore the initial failing commit, I was pushing to the wrong repo)
  2. The second commit ran the pipeline without the rules to prove that it worked, it added the new .txt file
  3. The third commit was the automatic one done by the pipeline
  4. The fourth commit was enabling the rules to only run on a tag, and also changed the .txt file name

What is the current bug behaviour?

The remote: HTTP Basic: Access denied. is thrown when the pipeline runs from a tag.

What is the expected correct behavior?

The pipeline passes from a tag, just like it does when it's not from a tag.

Relevant logs and/or screenshots

image

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 
- $CI_COMMIT_TAG - automatically generated upon creating a release/tag
- $CI_ACCESS_TOKEN - manually generated from the Project Access Token and added to CICD vars

Possible fixes

Allow the $CI_JOB_TOKEN permissions for the repo to be customised to allow pushes to the same repo? Would bypass the current implementation.

Edited by Lee-Michael D'Souza