API token in CI job

Is there a best practice for obtaining an API token within a continuous integration job?

I can get my API calls working using a personal access token, but is it safe to include my personal access token directly in the gitlab-ci.yml file? Anyone else could use that token to perform actions as me, right? I could pass it as a secret project variable but those are still visible to other project Masters.

I hoped that using the $CI_BUILD_TOKEN would just work, but it appears that it does not work for main API access, only for the CI API. I get a 401 Unauthorized error.

(My reason for doing this is to download the latest artifacts from a reference branch and compare them to the artifacts from the current build).

Hi @jbshaler,

Have you ever figured how to do it? I tried using $CI_JOB_TOKEN but got access denied


@roytmana: I ended up just using a personal access token. My project is private with only a few team members so Iā€™m not too worried about them trying to impersonate me for nefarious reasons.

Thanks @jbshaler I created a separate user with big password and generated token for it but it is a pain to add the user to bunch of groups/projects and register its token with them :frowning:

I think CI script should support API calls natively

1 Like