I’ve been using the GitLab composer CI template for over a year now to build PHP packages for my project. It worked perfectly every time I pushed code updates to the repository or added a tag it would build a new package as expected.
Then about a week ago, it just stopped working on all of the Projects within my private Workspace. Every push or tag results in a 401 from the publish job:
Could not create package - Code 401 - {"message":"401 Unauthorized"}
We are using GitLab.com. version 16.5.0-pre at time of writing. However the release of 16.4 does coincide with the time that this stopped working, but I have found nothing in the release notes that look suspect (nor can I be sure that we wern’t already running 16.4 at that point), so might be a coincidence.
The CI_JOB_TOKEN that is used to authorise publishing packages via Pipelines inherits the permissions of the User that kicked off the pipeline (All of the Users we have tested with are Owners).
To be sure that we have access I tested that I could publish a package via the API using a Personal Access Token (as per the docs) using the below command (and response):
curl --data tag=1.0.2 "https://__token__:<TOKEN>@gitlab.com/api/v4/projects/<PROJECT_ID>/packages/composer"
{"message":"201 Created"}%
This worked and package was published, which means the accounts do have permission to publish packages on the target repositories.
I have created a Test Workspace (located outside of the problem Workspace) and created a new project within containing compose ci file and compose.json that matches one of the problem project (all except “_test” appended to the package name). The Pipeline on this work perfectly when new code is pushed or tags are added.
This leads me to suspect that it is an issue with the CI_JOB_TOKEN permissions within the problem workspace? But I cannot find any obvious candidates on any of the settings pages.
The CI file I’m using in all instances is just the unmodified composer CI file provided by the Gitlab CI templates. found here:
Any insight into what might be going on here would be great.
Thanks!