Skip to content

Draft: Allow CI_JOB_TOKEN to push to the same repository

Anatoli Babenia requested to merge abitrolly/gitlab:push-with-job-token into master

EDIT: superseded by !152096 (merged)

What does this MR do and why?

Allows CI Job to commit results into repository (#389060 (closed)).

Based on the code from #389060 (comment 1265554578)

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 06bdb2c1ddce..61e6ced9022e 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -326,6 +326,7 @@ def build_authentication_abilities
         [
           :read_project,
           :build_download_code,
+          :build_push_code,
           :build_read_container_image,
           :build_create_container_image,
           :build_destroy_container_image
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 35b330fa0894..d33ffb145fb8 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -230,7 +230,7 @@ def check_authentication_abilities!
           raise ForbiddenError, error_message(:auth_download)
         end
       when *PUSH_COMMANDS
-        unless authentication_abilities.include?(:push_code)
+        unless authentication_abilities.include?(:push_code) || authentication_abilities.include?(:build_push_code)
           raise ForbiddenError, error_message(:auth_upload)
         end
       end
@@ -340,7 +340,8 @@ def check_change_access!
       if changes == ANY
         can_push = deploy_key? ||
           user_can_push? ||
-          project&.any_branch_allows_collaboration?(user_access.user)
+          project&.any_branch_allows_collaboration?(user_access.user) ||
+          authentication_abilities.include?(:build_push_code) && user_can_push?

         unless can_push
           raise ForbiddenError, error_message(:push_code)

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Anatoli Babenia

Merge request reports

Loading