gitlabgitlab-cigitlab-ci-runner

How to set a gitlab CI token in runner with rights to write to repository


I want to tag a build and when trying to push the tags I get the below error in CI

How to create a CI token and set in the build environment which can push tags to the repository.

[01:59:14]: Exit status of command 'git push origin --tags' was 128 instead of 0.
remote: You are not allowed to upload code.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gxx.yy.zz.git/': The requested URL returned error: 403

Solution

  • Here are two options you can do:

    1. Use a personal access token with write_repository permissions.

      • Save it as a custom CI/CD Variable and ensure it is masked.
      • Use the custom CI/CD variable in your .gitlab-ci.yml file:
      script:
        - git remote add https-origin https://gitlab-ci-token:${YOUR_PERSONAL_TOKEN}@gitlab.com/group/sub-group/project.git
        - git tag <some tag>
        - git push https-origin -o ci.skip refs/tags/<some tag>
      

    Note the -o ci.skip to not start a new pipeline, however this depends on your scenario.

    This option is definitely better if you create a bot account, so you can better control which repositories the bot account has access to, as otherwise, any maintainer or above can easily retrieve that write_repository key from looking in the settings.


    1. If you have access to the specific runner which the build is running on via tags, you can use a Deploy Keys which saves you on using a bot account or your own personal access token.

      • This requires an SSH-key to be created on the gitlab-runner machine, and copying it to the repositories Settings -> Repository -> Deploy Keys and pasting the public key within there (and also ticking Write access allowed).
      • You should then be able to use your standard git push origin --tags command as before.

    GitLab are looking to improve the permission problem in the Epic:

    The specific issue for write_repository using the pipeline token being: