I added CI_DEBUG_TRACE: âtrueâ to my .gitlab-ci.yml and got:
Cleaning up file based variables
+ set -eo pipefail
+ set +o noclobber
+ :
+ eval '$'\''rm'\'' "-f" "/home/gitlab-runner/builds/<token>/0/<projects>/ProjectB.tmp/CI_SERVER_TLS_CA_FILE"
'
++ rm -f /home/gitlab-runner/builds/<token>/0/<projects>/ProjectB.tmp/CI_SERVER_TLS_CA_FILE
So the CI_SERVER_TLS_CA_FILE file being deleted at the end of each job is something that is intentional. I wanted to know if itâs still something that is configurable so I started to look in the source code of gitlab-runner and found:
File /gitlab-runner//shells/bash.go:
func (b *BashWriter) writeScript(w io.Writer) {
_, _ = io.WriteString(w, "set -eo pipefail\n")
_, _ = io.WriteString(w, "set +o noclobber\n")
_, _ = io.WriteString(w, ": | eval "+helpers.ShellEscape(b.String())+"\n")
_, _ = io.WriteString(w, "exit 0\n")
}
Which is called by /gitlab-runner/shells/abstract.go:
func (b *AbstractShell) writeScript(w ShellWriter, buildStage common.BuildStage, info common.ShellScriptInfo) error {
methods := map[common.BuildStage]func(ShellWriter, common.ShellScriptInfo) error{
common.BuildStagePrepare: b.writePrepareScript,
common.BuildStageGetSources: b.writeGetSourcesScript,
common.BuildStageRestoreCache: b.writeRestoreCacheScript,
common.BuildStageDownloadArtifacts: b.writeDownloadArtifactsScript,
common.BuildStageAfterScript: b.writeAfterScript,
common.BuildStageArchiveOnSuccessCache: b.writeArchiveCacheOnSuccessScript,
common.BuildStageArchiveOnFailureCache: b.writeArchiveCacheOnFailureScript,
common.BuildStageUploadOnSuccessArtifacts: b.writeUploadArtifactsOnSuccessScript,
common.BuildStageUploadOnFailureArtifacts: b.writeUploadArtifactsOnFailureScript,
common.BuildStageCleanupFileVariables: b.writeCleanupFileVariablesScript,
}
fn, ok := methods[buildStage]
if !ok {
return b.writeUserScript(w, info, buildStage)
}
return fn(w, info)
}
And this common.BuildStageCleanupFileVariables
seems to be set in /gitlab-runner/common/build.go:
// getPredefinedEnv returns whether a stage should be executed on
// the predefined environment that GitLab Runner provided.
func getPredefinedEnv(buildStage BuildStage) bool {
env := map[BuildStage]bool{
BuildStagePrepare: true,
BuildStageGetSources: true,
BuildStageRestoreCache: true,
BuildStageDownloadArtifacts: true,
BuildStageAfterScript: false,
BuildStageArchiveOnSuccessCache: true,
BuildStageArchiveOnFailureCache: true,
BuildStageUploadOnFailureArtifacts: true,
BuildStageUploadOnSuccessArtifacts: true,
BuildStageCleanupFileVariables: true,
}
predefined, ok := env[buildStage]
if !ok {
return false
}
return predefined
}
And looking in the documentation, I didnât find any way to configure this BuildStageCleanupFileVariables
variable to false
and it doesnât seem to be part of the predefined variables either. So I concluded that trying to avoid the deletion of the CI_SERVER_TLS_CA_FILE
file was not the correct way to go.
However, in the debugs logs I also found the $CI_SERVER_TLS_CA_FILE variable which contains the absolute path to the CI_SERVER_TLS_CA_FILE
file. And since that both my ProjectA and ProjectB come from the same Gitlab server, I can use the same TLS certificate to fetch/pull both projects. So I ended up with this job that works fine:
pull project a:
stage: pull project a
script:
- cd ../ProjectA
- cp $CI_SERVER_TLS_CA_FILE ../ProjectA.tmp/CI_SERVER_TLS_CA_FILE # Copy the TLS certifcate
- git reset --hard
- git fetch https://gitlab-runner-token:$GITLAB_RUNNER_TOKEN@my.git.url.com/projects/ProjectA.git/
- git checkout $CI_COMMIT_REF_NAME
- git pull https://gitlab-runner-token:$GITLAB_RUNNER_TOKEN@my.git.url.com/projects/ProjectA.git/ $CI_COMMIT_REF_NAME
- rm -f ../ProjectA.tmp/CI_SERVER_TLS_CA_FILE # Delete it before the end of the job since it seems to be the good thing to do
Iâll mark it as solved.