Composer can't clone other repos with CI_JOB_TOKEN

I am trying to use satis

This is our satis config file:

    "name": "redacted",
    "homepage": "",
    "repositories": [
            "type": "vcs",
            "url": "https://gitlab.OURDOMAIN/group/redacted-project-name"
    "config": {
        "gitlab-domains": ["gitlab.OURDOMAIN"]
    "providers": true,
    "require-all": true

This is our .gitlab-ci.yml

    - vendor/*

  - git config --global gitlab.accesstoken $CI_JOB_TOKEN

    - source /opt/rh/rh-php72/enable
    - composer install --no-dev
    - rm -Rf public
    - mkdir public
    - vendor/bin/satis -vvv build src/satis.json public

This is what happens regardless of:

  • inclusion/exclusion of gitlab.accesstoken
  • wiping ~/.config and the cloned repo
  • composer config --global --auth gitlab-token.gitlab.OURDOMAIN $CI_JOB_TOKEN
50 $ vendor/bin/satis -vvv build src/satis.json public
51 Checked CA file /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: valid
52 Executing command (/home/gitlab-runner/builds/redacted/0/group/satis): git branch --no-color --no-abbrev -v
53 Executing command (/home/gitlab-runner/builds/redacted/0/group/satis): git describe --exact-match --tags
54 Failed to initialize global composer: Composer could not find the config file: /home/gitlab-runner/.config/composer/composer.json
55 To initialize a project, please create a composer.json file as described in the "Getting Started" section
56 Reading /home/gitlab-runner/builds/redacted/0/group/satis/vendor/composer/installed.json
57 Scanning packages
58 Downloading https://gitlab.OURDOMAIN/api/v4/projects/group%2Fredacted-project-name
59 Executing command (CWD): git config gitlab.accesstoken
60 Downloading https://gitlab.OURDOMAIN/api/v4/projects/group%2Fredacted-project-name
61 Executing command (CWD): git config gitlab.accesstoken
62 Downloading https://gitlab.OURDOMAIN/api/v4/projects/group%2Fredacted-project-name
63 Executing command (CWD): git config gitlab.accesstoken
<this continues until the PHP's memory_limit is reached>

Both projects live under the same group. What the heck am I missing?! This all works when a humanoid runs it themselves, but not when gitlab-runner does.

It looks like my only working option is to create an ‘automation’ user, create a personal access token, and manage things that way. The Job token does work, but only when the secondary repository is flagged as public, which is unacceptable for our use case.

I do not have a fully working solution yet, but that’s future Phil’s problem as current Phil is about to start annual leave.

@phil1 That workaround sounds like it will work before holiday, but I thought I’d share this conversation as it might help: