Generating new changelog file from CI/CD causes error in pipeline started from the changelog commit

Problem to solve

We’re using CI/CD components for our projects, and when tagging releases, we use the REST API to generate a new CHANGELOG.md file (by POSTing to $CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/changelog). As far as I understand it, I can’t use the CI_JOB_TOKEN to authorize this request, so we have set up a project token with ‘api’ scope
to run this command:

curl -v --header "PRIVATE-TOKEN: $CI_API_TOKEN" --data "version=$CI_COMMIT_TAG&branch=$BRANCH" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/changelog"

This of course causes a commit with the updated CHANGELOG.md to be created, and this in turn starts
a new pipeline, with the $CI_API_TOKEN as the running “user”. This pipeline immediately fails with

Unable to create pipeline

Steps to reproduce

I used this blog post for inspiration.

Configuration

This is what a typical .gitlab-ci.yml looks like for us:

include:
  - component: gitlab.com/grouptalk/ci_components/gradle-fargate@<version>

I figure the project token I’m using (CI_API_TOKEN), which is a project token with the api scope, doesn’t have permissions to read from the ci_components CI/CD components project. But I’m not sure how to accomplish this. I can give the job tokens of a project access to other projects, but this doesn’t seem to translate over to project tokens.

Versions

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions