CI for merge requests may fail after owner of the target repository rebases the branch via MR page
Summary
Given a Merge Request from a fork to a canonical repository…
And an user who has at least read access to both repositories rebases the merge request using the [Rebase] UI button…
The CI will run jobs in the context of the fork and will fail due to lacking permissions to access the fork repository.
Steps to reproduce
- Use
gitlab-runner
as the CI runner; - Have two users;
- Make a canonical repository of some sort, CI should be enabled for this repository;
- "Internal" visibility;
- In our case the repository is owned by a group which both users are members of;
- Make a fork repository of the canonical repository;
- Similarly, "internal" visibility;
- Owned by the user who made the fork (i.e.
username/repo
);
- With the owner user of the fork repository, make a MR from the fork repository to the canonical repository;
- Push something to a branch of the canonical repository at which MR was targeted (to have the
[Rebase]
button appear in the MR UI); - As another user (not the owner of the forked repository), go to the MR page and click
[Rebase]
.
Example Project
N/A. This is most likely not a problem with public repositories.
What is the current bug behavior?
Once the [Rebase]
button is clicked, rebase will succeed, CI will start in the context of the fork repository and all tests will fail at the cloning phase:
remote: you are not allowed to download code from this project.
fatal: unable to access <URL>: the requested URL returned error: 403
What is the expected correct behavior?
The CI should succeed in cloning the code for testing – since the fork repository has "internal" visibility, the other user has ability to download the code from the fork repository. In fact, they even managed to do a rebase by clicking the [Rebase]
button!
Relevant logs and/or screenshots
N/A
Output of checks
This bug probably happens on gitlab.com as well.
Results of GitLab environment info
Do not have an access to the server on which GitLab instance runs, I’m only an user.
GitLab version: 11.2.3 (gitlab-ce@06cbee3bf9dd960380390c0a5df9b67a52a85ba9)
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Results of GitLab application Check
Do not have an access to the server on which GitLab instance runs, I’m only an user.
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)