Invalid reference format when pulling docker images

Today I’ve encounter problem with pulling docker images from gitlab registry:
My setup:
repo with pipeline in which pull looks like this:

docker pull $CI_REGISTRY/edstein-lms/lms-ts:$IMAGE_TAG_FRONT

lms-ts is another repo in our group with registry for docker images.
Until today this setup work with no problem more than 6 months.

Now pull command show this:

docker pull $CI_REGISTRY/edstein-lms/lms-ts:$IMAGE_TAG_FRONT
invalid reference format

By trial and error, I found that its protected branch settings is for blame.
The pipeline is triggered from the main branch, which has been protected for over six months (only Maintainers had push and merge rights).
After I disabled this setting, meaning I removed the protection from the main branch, the pipeline started running without any issues. The same behavior was observed on another branch as well.

This is the first time I have encountered such a situation, and it seems like this setting may be altering something beyond its impact on working with the branch. It’s unclear how it affects the loading of images from another repository.

You will get this error if docker sees something unexpected in the image name. From your code I would guess the IMAGE_TAG_FRONT is empty. First thing I would check is if the variable IMAGE_TAG_FRONT contains correct value in all cases.

It’s now empty, error appear on already done pipelines, where deploy stage run more than once. It’s mean that variable already there.
IMAGE_TAG_FRONT is set manually when someone creates pipeline with “run pipeline” button.

Of course, I immediately checked what was in the variable, but even the usual “latest” was not accepted in it. The fact that the problem is solved by disabling branch protection suggests that it’s not about variables (the sets of variables themselves are available for any branches).

How are you setting IMAGE_TAG_FRONT when someone creates a pipeline using the run pipeline button? Can you share the logic and rules you’re using to accomplish this?

We set IMAGE_TAG_FRONT when creating a pipeline.
Pipeline create APP_VARS in settings>cicd>variable with link to created environment, so only one environment can use that vars;

Here deploy stage, where problem been found:

  <<: *app_deploy_job
  stage: deploy
  tags: ["$DEPLOY_ENV"]
    name: $APP_ID/$DEPLOY_ENV
    url: https://$HOST
    on_stop: env:stop
  before_script: *docker_login
    - set -a; source $APP_VARS
    - docker pull $CI_REGISTRY/lms/lms-ts:$IMAGE_TAG_FRONT
    - docker pull $CI_REGISTRY/lms/lms-back:$IMAGE_TAG_BACK
    - docker stack deploy -c compose-app.yml --prune --with-registry-auth $APP_ID
    - docker run --rm -v ${APP_ID}_data:/data alpine sh -c "mkdir -p /data/system /data/scorms; chown -R nobody:nobody /data"

On first docker pull we were getting error, that start showing only on day when I post this topic, before that, this workflow perfectly functioned around half a year. And main branch was a protected one. When settings of protection were removed, the problem was gone. Without any changes of anything else.