read_repository Deploy Tokens cannot download tag/branch tarballs
Summary
Deploy Tokens with read_repository rights can be used to fetch the entire git history of a repo, but cannot be used to fetch tarballs of specific tags or branches.
Our particular use case is specifying tag tarball URLs in Yocto recipes for automated builds. The repositories are hosted on an internal GitLab EE instance, though I've confirmed the same behavior with a private repo on gitlab.com.
The workaround is to clone the repo and checkout the desired commit. However, this results in significant wasted bandwidth, even when using clone --depth=1
(which only works for branches).
Steps to reproduce
Create a read_repository Deploy Token on a private repo, and attempt to fetch a tarball from the repo:
$ curl -u gitlab+deploy-token-NNNNN:<deploy-token> https://gitlab.com/<org>/<repo>/-/archive/<tag>/<repo>-<tag>.tar.gz
What is the current bug behavior?
Server responds 401 Unauthorized
.
What is the expected correct behavior?
Server should respond with requested tarball.