GraphQL mutation ciJobTokenScopeRemoveProject always fails with "Target project is not in job scope"
Summary
The GraphQL mutation ciJobTokenScopeRemoveProject always seems to fail with "Target project is not in job scope" even when it is.
Steps to reproduce
For testing, I have created two projects on gitlab.com for testing purposes (these repositories contain no data and I allow GitLab staff to use them for reproducing and debugging this issue, although recreating it manually should be very easy as I documented all changes I made):
- https://gitlab.com/TheLastProject/ci_job_token_test_1
- https://gitlab.com/TheLastProject/ci_job_token_test_2
In the TheLastProject/ci_job_token_test_1 repository I have manually added TheLastProject/ci_job_token_test_2 to the CI/CD job token allowlist under Settings -> CI/CD -> Job token permissions.
When using GraphiQL on https://gitlab.com/-/graphql-explorer, I can confirm the project is in the inbound allow list:
Query:
query {
project(fullPath:"TheLastProject/ci_job_token_test_1") {
ciJobTokenScope {
inboundAllowlist {
nodes {
fullPath
}
}
}
}
}Result:
{
"data": {
"project": {
"ciJobTokenScope": {
"inboundAllowlist": {
"nodes": [
{
"fullPath": "TheLastProject/ci_job_token_test_2"
},
{
"fullPath": "TheLastProject/ci_job_token_test_1"
}
]
}
}
}
}
}Trying to remove the TheLastProject/ci_job_token_test_2 project however fails:
Mutation:
mutation {
ciJobTokenScopeRemoveProject(input:{
projectPath:"TheLastProject/ci_job_token_test_1",
targetProjectPath:"TheLastProject/ci_job_token_test_2"
}) {
errors
}
}Result:
{
"data": {
"ciJobTokenScopeRemoveProject": {
"errors": [
"Target project is not in the job token scope"
]
}
}
}Example Project
See above
What is the current bug behavior?
The project is not removed with the "Target project is not in the job token scope" message.
What is the expected correct behavior?
The project is removed from the "CI/CD job token allowlist".
Relevant logs and/or screenshots
See reproduction steps
Output of checks
This bug happens on GitLab.com