28

I have a GitLab CI build script like this:

create release: stage: deploy tags: - basic only: - tags script: - GITLOG=$(echo "# Changes Log"; git log `git tag | tail -2 | head -1`..${CI_BUILD_TAG} --pretty=format:" - %s") - curl -X POST -d "private_token=$CI_BUILD_TOKEN&description=$GITLOG" "http://git.example.com/api/v3/projects/${CI_PROJECT_ID}/repository/tags/${CI_BUILD_TAG}/release"

The purpose of this step is to automatically add a Changes Log from Git in the GitLab Releases section.

That works if I manually run this on the command line and put in the variables...

The problem is that the value of CI_BUILD_TOKEN in the build runner isn't a valid GitLab Private Token - it's only a token to connect to the Docker Registry - as per the documentation.

Is there a way to get a valid GitLab API token that the build runner can use to access the API for the project it's running a build for? Seems like this should be possible.

GitLab Runner:

gitlab-runner -v Version: 1.2.0 Git revision: 3a4fcd4 Git branch: HEAD GO version: go1.6.2 Built: Sun, 22 May 2016 20:05:30 +0000 OS/Arch: linux/amd64
Improve this question
4
  • As mentioned here, do you have gitlab runner 1.2? (stackoverflow.com/questions/37468084/…) Commented Aug 6, 2016 at 21:18
  • Yes, I have GitLab 1.2.0 - the linked article is about accessing the Docker Registry, I'm trying to access GitLab's API. Accessing the GitLab Docker Registry does work. Commented Aug 6, 2016 at 21:29
  • 1
    It seems CI_BUILD_TOKEN is mainly for accessing the registry, not for using the GitLab API. Commented Aug 6, 2016 at 21:30
  • It would be great if they can include that as a CI variable. Commented Feb 9, 2017 at 15:52

2 Answers 2

Reset to default
30

You can have read-only access with the API from the runner, but only if you add a header with the CI_JOB_TOKEN.

e.g.

curl -H "JOB_TOKEN: $CI_JOB_TOKEN" "https://gitlab.com/api/v4/projects/2828837/repository/tags

And only when the project is public with everyone has access from the same project.

If you want access to private projects as well and/or write access, please up-vote GitLab issue #29566 and/or #41084.

As an alternative for the time being, you can create an access token on gitlab, and add it to the secret variables, under project settings/ci_cd although not really advised to do as your personal access token will be used by everyone who trigger the job.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Note that the name of this header should be JOB-TOKEN, not JOB_TOKEN. That is, curl -H "JOB-TOKEN: $CI_JOB_TOKEN" "https://gitlab.com/api/v4/projects/2828837/repository/tags
Actually, is this even true? I see no indication in the documentation that job tokens are accepted for authentication outside of a select few endpoints.
@bgamari I just verified my code: sprintf(headertoken, "JOB_TOKEN: %s",cJSON_get_key(env_json, "CI_JOB_TOKEN")); , wich I use for publishing downloads.odagrun.com/latest
Anything that is public will respond to repository/tags regardless of token - I don't think the token is doing anything here.
@Danny it might (still?) work but according to their documentation the header name is indeed JOB-TOKEN, not JOB_TOKEN.
1

Did you try to use the Secret Variables? You can define in the settings and then use in your build script.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.