Problem to solve
We’re using CI/CD components for our projects, and when tagging releases, we use the REST API to generate a new CHANGELOG.md file (by POSTing to $CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/changelog). As far as I understand it, I can’t use the CI_JOB_TOKEN to authorize this request, so we have set up a project token with ‘api’ scope
to run this command:
curl -v --header "PRIVATE-TOKEN: $CI_API_TOKEN" --data "version=$CI_COMMIT_TAG&branch=$BRANCH" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/changelog"
This of course causes a commit with the updated CHANGELOG.md to be created, and this in turn starts
a new pipeline, with the $CI_API_TOKEN as the running “user”. This pipeline immediately fails with
Unable to create pipeline
- component ‘gitlab.com/grouptalk/ci_components/gradle-fargate@~latest’ - project does not exist or you don’t have sufficient permissions
Steps to reproduce
I used this blog post for inspiration.
Configuration
This is what a typical .gitlab-ci.yml looks like for us:
include:
- component: gitlab.com/grouptalk/ci_components/gradle-fargate@<version>
I figure the project token I’m using (CI_API_TOKEN), which is a project token with the api scope, doesn’t have permissions to read from the ci_components CI/CD components project. But I’m not sure how to accomplish this. I can give the job tokens of a project access to other projects, but this doesn’t seem to translate over to project tokens.
Versions
- Self-managed
- GitLab.com SaaS
- Self-hosted Runners
Versions
- GitLab Enterprise Edition 16.10.0-pre 710dd9a9f97(Maintenance Rake tasks | GitLab)):