CI Job Token allow list is now inaccessible in Gitlab 18+ if CI/CD features are turned off for a project
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
In GitLab 18+ the only option for allowing a project to be accessed by the CI token from another project is to go to Settings > CI/CD > Job Token Permissions and adding the project to the allow list. The problem is that in a project that has the CI/CD feature disabled (via Settings > General > Visibility,project features,permissions), it is no longer possible to edit this allow list. The CI/CD settings page is gone when this feature is disabled. Previously it could still be done from the source project via the "Limit your project’s job token access" feature which has now been removed.
It is very reasonable to have a project that does not in itself need CI pipelines, but should be accessible by other projects pipelines. In my case, my project hosts a shared package registry which needs to be accessible to other projects, but serves no other purpose and does not need the CI pipeline tools.
Steps to reproduce
- Open any project
- Go to
Settings>General - Expand
Visibility,project features,permissionsand scroll down to theRepository>CI/CDoption and disable this feature - Note that the
Settings>CI/CDpage is no longer accessible and you can no longer edit the project allow list
Example Project
This bug is not project specific and can be replicated in any project by disabling the CI/CD feature in Settings > General > Visibility,project features,permissions.
What is the current bug behavior?
The Settings > CI/CD page is no longer accessible and I can no longer allow another project to access the package registry.
What is the expected correct behavior?
Even with the CI/CD feature disabled in a project I should still have the ability to allow another project's CI/CD pipeline to access the package registry in my current project.
Relevant logs and/or screenshots
n/a
Output of checks
n/a
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 11 Proxy: no Current User: git Using RVM: no Ruby Version: 3.2.5 Gem Version: 3.6.9 Bundler Version:2.6.9 Rake Version: 13.0.6 Redis Version: 7.2.9 Sidekiq Version:7.3.9 Go Version: unknown GitLab information Version: 18.1.1-ee Revision: ceb07b24cb0 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 16.8 URL: https://**REDACTED** HTTP Clone URL: https://**REDACTED**/some-group/some-project.git SSH Clone URL: git@**REDACTED**:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.42.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Gitaly - default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket - default Version: 18.1.1 - default Git Version: 2.49.0.gl2
Results of GitLab application Check
n/a
Possible fixes
The Settings > CI/CD page could remain accessible with only the allow list available on the page, or the allow list could be accessible from the Settings > Access tokens page.
Patch release information for backports
n/a
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.