<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=422873) </details> <!--IssueSummary end--> I'm frustrated as hell now, cause I now have to throw away a separated "template" for a CI-Job which should be shared across a lot of projects, and have to paste the job into every project. Because of a broken permission model. # Situation * All Projects/Groups Private. * Project `SharedCI/Scanner` contains a `Dockerfile`, `.gitlab-ci.yml` to prepare an image and a `template.yml` for usage by other projects. * Project `Projects/A` contains our Application and includes `SharedCI/Scanner/template.yml`. * Project `SharedCI/Scanner` has "Settings -> CI/CD -> Token Access -> Allow access to this project with a CI_JOB_TOKEN" for `Projects/A`. * Renovate runs for `Projects/A` with `Projects`-Group-Token. * Pipelines started by Renovate fail with invalid yaml. # Variants tried * Disable "Settings -> CI/CD -> Token Access -> Allow access to this project with a CI_JOB_TOKEN", so any token could access it * Invite Group `Projects` as Members to `SharedCI` with Level Developer, so every member can access `SharedCI/Scanner`, which IMHO should include Bots/GroupTokens. * all three options * using `rules` to not include `SharedCI/Scanner/template.yml` when started by renovate, which breaks because `extends` can't find the referenced yaml template even if the job using extends has the same rule as the include (so it shouldn't run anyways) # Example Setup ## SharedCI/Scanner ``` # Dockerfile FROM alpine ``` ``` .gitlab-ci.yml image: stage: build image: entrypoint: [""] name: gcr.io/kaniko-project/executor:debug only: [main] interruptible: true before_script: - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > /kaniko/.docker/config.json script: - /kaniko/executor --skip-unused-stages --context ${CI_PROJECT_DIR} --destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME} --dockerfile ${CI_PROJECT_DIR}/Dockerfile ``` ``` # template.yml .scanner: &scanner image: name: registry.gitlab.example.com/SharedCI/Scanner:main entrypoint: [""] script: - echo Hello $WHO ``` ## Projects/A ``` # .gitlab-ci.yml include: - project: SharedCI/Scanner file: /template.yml scan: extends: .scanner variables: WHO: world ``` # Questions * Why are Group-Tokens/Bot-Users not included when inviting a Group as members? * Why do pipelines, started by a Bot-User, ignore explicitly given "Allow access to this project with a CI_JOB_TOKEN" Access? (That's the one I'm most confused about)