You need to sign in or sign up before continuing.

id_token regression in 18.2.2 for merge requests from forks

Description:
There is a regression in GitLab 18.2.2 affecting the id_token in CI/CD pipelines.
The id_token should reference the project_id of the project where the pipeline is running - and this generally still works.

However, if I create a fork and open a merge request (MR) to the original project, and run a pipeline in the MR in the original project, the id_token references the project_id of the fork instead.

This behavior was not present in GitLab 18.2.1.

This breaks downstream authentication and authorization integrations that rely on the project_id in the token to match the project where the pipeline executes.

Steps to reproduce:

Create Project A (ID: 1001).

In Project A, create a .gitlab-ci.yml file:

gitlab-bebroken:
  id_tokens:
    mytoken:
      aud: https://someservice.com
  script:
    echo $mytoken | base64
  rules:
    - when: always

Fork Project A into Project B (ID: 1002).
In Project B, change a file and open a merge request into Project A.
Run a pipeline in the merge request in Project A.

Observed result:
The project_id in the decoded JWT is 1002 (fork project).

Expected result:
The project_id should be 1001 (original project where the pipeline actually runs).

Edited Aug 15, 2025 by 🤖 GitLab Bot 🤖