[SOLVED] How do you install debian packages from a GitLab package registry using a CI job token?

How do you install debian packages from a GitLab package registry using a CI job token?

I followed the instructions to set up a Debian package registry for my GitLab project.

✔️ I enabled the API
✔️ I created a distribution
✔️ I uploaded packages

Now I have a CI job that needs to pull these packages from the registry. I followed the instructions and tried this in my CI job:

curl --fail-with-body --header "Job-Token: ${CI_JOB_TOKEN}" "https://<my-gitlab-url>/api/v4/projects/45/debian_distributions/<my-codename>/key.asc" | gpg --dearmor | tee /usr/local/share/keyrings/<my-codename>-archive-keyring.gpg > /dev/null
apt-get update

I also added this to the sources.list file:

deb [ signed-by=/usr/local/share/keyrings/<my-codename>-archive-keyring.gpg ] https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> main

Finally, I created /etc/apt/auth.conf.d/sources.conf with:

echo "machine <my-gitlab-url> login gitlab-ci-token password ${CI_JOB_TOKEN}" > /etc/apt/auth.conf.d/sources.conf

However, when apt-get update actually runs, I get the following output:

Err:5 https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codeame> InRelease
    401  Unauthorized [IP: 10.0.0.5 443]
Reading package lists...
E: Failed to fetch https://<my-gitlab-url>/api/v4/projects/45/packages/debian/dists/<my-codename>/InRelease  401  Unauthorized [IP: 10.0.0.5 443]
E: The repository 'https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> InRelease' is not signed.

Based on the fact that it says Unauthorized, I think something is wrong with the authentication. Maybe the CI_JOB_TOKEN does not work. I tried doing this manually outside the CI using a personal access token and it did work.

Update

I added this to my .gitlab-ci.yml file

- echo "${CI_JOB_TOKEN:1}"
- echo "${CI_JOB_TOKEN::-1}"

so that I could snoop on the CI_JOB_TOKEN, then while the job was running I manually entered it in the /etc/apt/auth.conf.d/sources.conf file on my computer and apt-get update worked while the job was running. After the job ended, apt-get update no longer worked since the token expired (as expected). So the process works with the token, but for some reason it does not work in the CI...

Solution

My problem was that the CI_JOB_TOKEN was not getting passed properly into my job. I passed it into the build script, but I needed to also export it from there so that the rest of my workflow had access to the token.

I will vote to close this question because it's related to a mistake.