Add Support for Committing Git LFS Objects Using $CI_JOB_TOKEN

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Problem to solve

Currently, you can use the $CI_JOB_TOKEN to authenticate and make commits to a project in GitLab. However, this token does not support committing Git LFS (Large File Storage) objects. Attempting to do so results in a 403 error, accompanied by the following message:

warning: Authentication error: Authentication required: Access forbidden. Check your access level.
batch response: Access forbidden. Check your access level.

< HTTP/2.0 403 Forbidden
< Connection: close
< Cache-Control: no-cache
< Content-Security-Policy: 
< Content-Type: application/vnd.git-lfs+json; charset=utf-8
< Date: Tue, 11 Mar 2025 10:30:20 GMT
< Permissions-Policy: interest-cohort=()
< Server: nginx
< Strict-Transport-Security: max-age=63072000
< Vary: Accept
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Meta: {"correlation_id":"01JP2C2R6J5D7AXHAX7WZ4EVXN","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01JP2C2R6J5D7AXHAX7WZ4EVXN
< X-Runtime: 0.077709
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< 
13:30:20.728944 trace git-lfs: HTTP: {"message":"Access forbidden. Check your access level.","documentation_url":"https://example.com/help"}
{"message":"Access forbidden. Check your access level.","documentation_url":"https://example.com/help"}warning: Authentication error: Authentication required: Access forbidden. Check your access level.
13:30:20.728998 trace git-lfs: tq: running as batched queue, batch size of 100
13:30:20.729069 trace git-lfs: run_command: git rev-list --objects --ignore-missing --stdin --
13:30:20.729073 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-list' '--objects' '--ignore-missing' '--stdin' '--'
13:30:20.729541 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'cat-file' '--batch-check'
13:30:20.729811 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' '--git-common-dir'
13:30:20.731522 trace git-lfs: tq: sending batch of size 1
13:30:20.731634 trace git-lfs: api: batch 1 files
13:30:20.731669 trace git-lfs: HTTP: POST https://gitlab-ci-token:<$CI_JOB_TOKEN>@example.com/tlg/zd-610573.git/info/lfs/objects/batch
> POST /tlg/zd-610573.git/info/lfs/objects/batch HTTP/1.1
> Host: example.com
> Accept: application/vnd.git-lfs+json
> Content-Length: 229
> Content-Type: application/vnd.git-lfs+json; charset=utf-8
> User-Agent: git-lfs/3.4.1 (GitHub; linux amd64; go 1.22.2)
> 
{"operation":"upload","objects":[{"oid":"5fe7faff63e7cdeb9aa4ec047bdd9330177eddee0274c3d135565a93e51d1048","size":25959712}],"transfers":["ssh","lfs-standalone-file","basic"],"ref":{"name":"refs/heads/main"},"hash_algo":"sha256"}13:30:20.953692 trace git-lfs: HTTP: 403

This limitation occurs because the $CI_JOB_TOKEN lacks the necessary permissions to handle Git LFS operations, restricting its use to standard Git commits.

Add Support for Committing Git LFS Objects Using $CI_JOB_TOKEN

Release notes

Problem to solve

Proposal

Intended users

Feature Usage Metrics

Does this feature require an audit event?