Access denied error when pushing repo via CI

GitLab CI/CD
, , ,
1

Problem to solve

I’m a bit puzzled by an issue with my CI pipeline. The way in which I have my project set up when I push a change, as part of the workflow the pipeline will check if there has been an API change, and if so will push out a swagger model to a separate repository in the same group that then generates and publishes an SDK client for the updated API. Both repositories use the same group access token which is saved as a CI variable in the group.

The second repository CI workflow fails when it needs to upload the updated generated source code, rather interestingly however the first project pipeline successfully uploads the new model to the same repository without issues. I have verified that the token used is the same. The second repository fails with the following error:

remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://git.example.us/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'https://git.example.us/xyz/xyz-sdk/'

Steps to reproduce

Here are the relevant excerpts from the workflow starting with the first repository (which succeeds):

git clone https://oauth2:${GROUP_REPO_TOKEN}@git.example.us/xyz/xyz-sdk
cd xyz-sdk

[... API schema comparison/versioning steps omitted ...] 

git add .
git commit -m "[AUTO] Release for version $VERSION"
git push origin HEAD:live

Here is the code for the second repository which fails (this repo does this in gitlab-ci file directly which I don’t think would have an impact, so pasting the entire job here):

publish-source:
  stage: publish
  image: cicirello/alpine-plus-plus
  tags:
    - docker
  script:
    - git add *
    - git config --global user.email "none@example.us"
    - git config --global user.name "XYZAutoPublisher"
    - git commit -m "[AUTO] Automatically-Generated SDK source code"
    - git config remote.gitlab_origin.url >&- || git remote add gitlab_origin https://oauth2:${GROUP_REPO_TOKEN}@git.example.us/xyz/xyz-sdk
    - git push gitlab_origin HEAD:live -o ci.skip

The code fails on the last step. Note that it pulls in generates artifacts from previous steps.

This configuration used to work just fine, and the token does not expire for quite a while.

Token permissions are as follows:

api, read_api, read_repository, write_repository, read_registry, write_registry

The token last used timestamp also confirms that it was last used by the first repository.

Recreating the token with the same permissions does not resolve the issue

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab SaaS
  • Self-hosted Runners

Versions

  • GitLab: 17.4
  • GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version): 17.2.1