With a default .gitlab-ci.yml config:
image: busybox
pages:
stage: deploy
script:
- echo "The site will be deployed to $CI_PAGES_URL"
artifacts:
paths:
- public
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
If 2FA is enabled for my account, I the CI job is unable to check out the repo, and gives this error:
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
I decided to create a project access token that can read the repo (with developer-level access), etc. I then created a variable for the repo, set to PROJECT_CI_JOB_TOKEN, turned on masking of the variable in logs, and enabled the option to only allow its use on protected branches.
That’s all fine, but so far I don’t know how to to tell the CI job to use that token instead of the default CI_JOB_TOKEN for the default git checkout step. If I choose to run on a base image other than busybox, I am able to install git, then check out the repo manually, etc. Like this:
image: ubuntu:focal
variables:
GIT_STRATEGY: none
GIT_CHECKOUT: "false"
pages:
stage: deploy
script:
- apt update
- apt install -y git
- git clone "https://token:${PROJECT_CI_JOB_TOKEN}@gitlab.com/..." .
That works, but it adds complexity, and it slows down the pipeline, because it requires fetching package metadata from an Ubuntu mirror.
Is there any way to set a variable in the .gitlab-ci.yml file to tell GitLab to use an alternate token? It’s not possible to simply override the CI_JOB_TOKEN according to this issue, but it seems like it would be a very useful kind of feature to have by some other means.
I’m looking for something like this:
image: busybox
variables:
GIT_TOKEN: $PROJECT_CI_JOB_TOKEN
...
Thanks : )