Job token authentication log missing entries for security policy template access in downstream pipelines
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Job token authentication log fails to record access when downstream pipelines access pipeline templates through security policies. When Project A triggers Project B via CI_JOB_TOKEN, and Project B's pipeline includes templates from a templates project via security policies, the authentication log in the templates project shows no record of Project A's access, despite the access being successful.
Steps to reproduce
- Set up Project A with a pipeline that triggers Project B using
CI_JOB_TOKEN:
curl -v --request POST \
--form token="${CI_JOB_TOKEN}" \
--form ref=main \
"${CI_API_V4_URL}/projects/<project-b-id>/trigger/pipeline"- Configure Project B to allow Project A with
ADMIN_PIPELINESpermission in Settings > CI/CD > Job token permissions - Set up a pipeline templates project that contains CI/CD templates
- Configure Project B to use templates from the templates project via security policies
- Add Project A to the templates project's job token allowlist with appropriate permissions
- Trigger a pipeline in Project A that triggers Project B
- Verify Project B's pipeline runs successfully and accesses the templates
- Check the authentication log in the templates project (Settings > CI/CD > Job token permissions > Authentication log)
Example Project
This issue occurs in enterprise environments with security policies and cannot be easily reproduced on GitLab.com due to the complexity of the setup required.
What is the current bug behavior?
The authentication log in the pipeline templates project shows no entries for Project A's job token access, despite:
- Project A successfully triggering Project B
- Project B's pipeline successfully accessing and using templates from the templates project
- Project A being explicitly added to the templates project's job token allowlist
The authentication log appears empty or missing the expected entries for this access pattern.
What is the expected correct behavior?
When Project A's job token is used by Project B's pipeline to access the templates project, this should appear in the templates project's authentication log showing Project A as the accessing project.
Relevant logs and/or screenshots
The authentication log in the templates project remains empty despite successful template access. The pipeline in Project B completes successfully, indicating that the templates are being accessed and used correctly.