Job token doesn't have rights to remote gitlab.yaml file


Hey, so I have a private repo for my org with our .gitlab-ci.yaml files. As part of our build process, all builds going to main generate a tag via the CI/CD process. This tag is created via the API as part of the post-build step. However, the job token doesn’t have rights to read those .gitlab-ci.yaml files. Is there any solution for this? We’d like to keep our pipeline definitions in a singular repository, but not have to deal with the noise that this generates. Additionally, I’d also like to keep the tokens locked to their own repository to keep us safe from ourselves (in case someone does do something stupid).

Relevant build steps from yaml:

Auto-Devops-Extensions repo:

# Removed for confidentiality
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]] ; then
        curl -i -H "PRIVATE-TOKEN: ${CI_JOB_TOKEN}" --request POST "https://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/repository/tags?tag_name=v${CI_APPLICATION_TAG}&ref=${CI_COMMIT_SHA}"
# Removed for confidentiality

Webapp repo:

  - project: 'FruitStreet/ops/auto-devops-extensions'
    file: 'webapp.yaml'

Example output: