I’d like to post an MR comment via GitLab’s REST API from a CI job using a CI-managed token (ideally
CI_JOB_TOKEN, but it doesn’t have the necessary permissions). I could use a project access token, but that’s not personalized. So I thought it might be possible to leverage
CI_JOB_JWT_V2 to retrieve a GitLab OAuth2 token (because it has more permissions) that I can use to authenticate against GitLab’s REST API, similar to how it can be used to integrate with cloud services, since GitLab itself is an OpenID Connect identity provider. So I set up a simple proof of concept CI job inspired by this docs section:
test: image: curlimages/curl:latest id_tokens: GITLAB_OAUTH_TOKEN: aud: https://gitlab.com script: - echo "$GITLAB_OAUTH_TOKEN" | base64 # TODO: Make cURL request to GitLab's REST API
When I decode the base64-encoded string and check it in the JWT debugger, it’s simply the
CI_JOB_JWT_V2 again, so this doesn’t work.
I’m probably misunderstanding something. Is it at all possible to exchange the
CI_JOB_JWT_V2 token for an OAuth2 token? If so, how?