Looking at the documentation I was under the impression $CI_JOB_TOKEN would have access the following two APIs:
-
GET /api/v4/projects/:id/registry/repositoriesand -
DELETE /api/v4/projects/:id/registry/repositories/:repository_id/tags/:tag_name.
This seems to be a fallacy as using the HTTP header Job-Token: $CI_JOB_TOKEN to call the first URL yields HTTP 404 although the URL is valid. Doing so with Private-Token: personal-access-token works.
Which predefined variables can I use to access the registry/repositories API?
Likewise I thought I could use $CI_REGISTRY_USER/$CI_REGISTRY_PASSWORD to access the actual Docker registry API at e.g. https://host:port/v2/group/project/tags/list. Yet, that also seems to be a fallacy as the call fails due to an Unauthorized response. I know I first need to obtain a Bearer token for a user/password combination[1]. Non-CI_REGISTRY_xxx users work fine.
[1] How to interact with the Docker registry API: https://www.pimwiddershoven.nl/entry/request-an-api-bearer-token-from-gitlab-jwt-authentication-to-control-your-private-docker-registry)