Pull access denied for kubernetes runner custom image

I’ve created a gitlab-ci, and it works fine. When I git-push, the pipeline executes fine, and all is well.

When my friend who has access to the repo, makes commits against the repo, same branch almost everything the same as me… (same ci file ofcourse)… he gets an error:

ERROR: Job failed (system failure): failed to pull image “registry.gitlab.com/--redacted--” with specified policies [always]: Error response from daemon: pull access denied for registry.gitlab.com/--redacted--, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied (manager.go:205:0s)

Now, this ONLY occurs in the last stage, and that stage is using a custom image (registry.gitlab.com/--redacted--). However, the exact same image works when I push.

My understanding is that the runner used, the permissions associated with it, the gitlab pull secrets etc, are tied to the REPOSITORY, not the user that made the commit?

IF I go to pipelines I can see the step that failed, and if I press ‘retry’… it works.
However he can reproducibly 100% of the time cause a failure by trying to push and it fails at the same step every time.

Do I need to provide my friend access to the separate repo (and registries) that hold the image?