GitLab CI/CD HTTP fetch/authentication issues after upgrade to 17.11 / 18.0 – possible root cause?

NimaWoods · June 7, 2025, 11:30pm

After upgrading our self-managed GitLab instance to 18.0, our CI/CD pipelines started failing when trying to clone or fetch the repository via HTTP. Prior to the upgrade everything worked without the need for deploy tokens or SSH setup.

What we’re seeing:

remote: HTTP Basic: Access denied.
fatal: Authentication failed for 'http://git.playcraftex.net/group/project.git/'

What we expected:
GitLab Runner should automatically be able to fetch the repository using the built-in CI_JOB_TOKEN, just like it did before.

We’ve reviewed the following:

Tried everything what Google and ChatGPT offered
GitLab docs about CI_JOB_TOKEN
Forum threads and MR !185987
GitLab issue #536833

Configuration

.gitlab-ci.yml:

stages:
  - test
  - deploy

test:
  stage: test
  script:
    - ./gradlew clean test --info --stacktrace

deploy-master:
  stage: deploy
  script:
    - rsync -avz --delete ./deploy/*.jar /home/minecraft/plugins/
  only:
    - mainssssss

deploy-develop:
  stage: deploy
  script:
    - rsync -avz --delete ./deploy/*.jar /var/lib/pterodactyl/volumes/aab5f19d-4ebb-47ec-89e8-0a42de4ac6fa
  only:
    - develop

Runner: Shell executor
GitLab: HTTP only, no SSH used
Repo is private

Versions

GitLab version:

GitLab-ce: 18.0.0

Runner version:

gitlab-runner 18.0.2 (4d7093e1)

Let us know if we missed anything obvious. Or how we can fix this Problem. because I have no Idea.

Thank you!

jedihomer · June 9, 2025, 9:27am

We’re seeing a similar thing, since the upgrade the CI can’t seem to checkout the submodules for the project

remote: Authentication by CI/CD job token not allowed from {project} to {submodule}.

Worked fine on Friday, updated yesterday…

jedihomer · June 9, 2025, 9:28am

There looks like there might be a new setting in the CI/CD section of a project

-/settings/ci_cd#js-token-access

Job token permissions

Control which projects can use CI/CD job tokens to authenticate with this project.

jedihomer · June 9, 2025, 9:36am

So, our fix was to to into the 3 submodules that the project uses, go to the CI/CD settings page, then expand the Job token permissions section. You can then, from the drop-down Add button/menu on the right Add all projects in Authentication log

That will then allow those projects to pull during CI that project.

Topic		Replies	Views
Fatal: unable to access 'https: after upgrade to 10.1 How to Use GitLab	4	5608	December 1, 2017
Issue With gilab-Ci:: remote: HTTP Basic: Access denied How to Use GitLab	0	1318	May 1, 2018
Git over HTTP failing auth after rollback of HTTPS upgrade How to Use GitLab	2	1294	August 23, 2018
Error: The requested URL returned error: 401 while accessing GitLab CI/CD	1	3002	August 31, 2016
CI_JOB_TOKEN access denied despite having token access configured GitLab CI/CD ci , token , pipelines	12	22788	July 21, 2023

GitLab CI/CD HTTP fetch/authentication issues after upgrade to 17.11 / 18.0 – possible root cause?

Configuration

Versions

Job token permissions

Related topics