Malformed URL of "Download CSV" button for CI job token authentication log causes download to fail

Summary

With the recent addition of Job token authentication log, you can now download a CSV containing a list of projects that have used a CI job token to authenticate to the project, and when they last did so.

In a project's Settings > CI/CD > Job token permissions > Authentication log, there's a Download CSV button. The URL generated for this button is malformed. It should be:

/my-group/my-project/-/settings/ci_cd/export_job_token_authorizations

Instead, it's:

/my-project/my-project/-/settings/ci_cd/export_job_token_authorizations

When you click the button, it does attempt to download a CSV file, but it fails since the path is invalid:

screenshot

Steps to reproduce

  1. Add Project A to Project B's CI/CD job token allowlist.
  2. Configure Project A's CI/CD to clone Project B using the CI job token:
stages:
    - clone

clone-project-b:
    stage: clone
    script:
        - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@example.gitlab.com/my-group/project-b.git
  1. Trigger a pipeline in Project A.
  2. Wait a couple minutes after the Project A pipeline completes. In Project B's Settings > CI/CD > Job token permissions > Authentication log, you'll see an entry for my-group/project-a.
  3. Hover over the Download CSV button and you'll see the following URL:
https://example.gitlab.com/project-b/project-b/-/settings/ci_cd/export_job_token_authorizations
  1. When you click on Download CSV, your browser will attempt to download token_log_report.csv, but will fail with a message like "File wasn't available on site".

Workaround

The CSV downloads just fine if you use the right URL path. Enter this manually in the browser and a valid CSV will download:

https://example.gitlab.com/my-group/my-project/-/settings/ci_cd/export_job_token_authorizations.csv

Example Project

This is a private project, if you ping me (@jgaughan) I can add you to it: https://gitlab.com/jgaughan_ultimate_group/zd-577124-job-tokens-clonee

What is the current bug behavior?

An invalid URL is generated for the "Download CSV" button, which causes the CSV download to fail when you click the button.

What is the expected correct behavior?

A valid URL is generated for the "Download CSV" button, and clicking the button triggers a successful download of the authentication log CSV file.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes