Looking at the documentation I was under the impression
$CI_JOB_TOKEN would have access the following two APIs:
This seems to be a fallacy as using the HTTP header
Job-Token: $CI_JOB_TOKEN to call the first URL yields HTTP 404 although the URL is valid. Doing so with
Private-Token: personal-access-token works.
Which predefined variables can I use to access the registry/repositories API?
Likewise I thought I could use
$CI_REGISTRY_PASSWORD to access the actual Docker registry API at e.g.
https://host:port/v2/group/project/tags/list. Yet, that also seems to be a fallacy as the call fails due to an
Unauthorized response. I know I first need to obtain a Bearer token for a user/password combination. Non-CI_REGISTRY_xxx users work fine.
 How to interact with the Docker registry API: https://www.pimwiddershoven.nl/entry/request-an-api-bearer-token-from-gitlab-jwt-authentication-to-control-your-private-docker-registry)