What?

GitLab has introduced changes regarding how CI/CD Job Tokens are used to authenticate access to other projects via a feature called "Limit access to this project". The change restricts inbound requests to a project from other projects unless explicitly allowed by the project's configuration. This is a security feature LC will be enforcing by default.

Who?

If you are either:

  • A project hosted in LC GitLab that other project's in LC GitLab depend on for CI or
  • A project hosted in LC GitLab that depends on another  e.g. by performing git clone, pip install, etc. in your project's .gitlab-ci.yml using a CI_JOB_TOKEN to authenticate, or
  • Are currently using the Service Users functionality

You'll need to perform migration steps outlined below.

How?

Projects must now explicitly grant access to other projects in order to be accessed from a CI job by CI_JOB_TOKEN.

If:

  • You want access to another project, you must request that the other project add you to their allowlist
  • You want another project to access yours, you must add their project to your allowlist
  • For projects with small numbers of allowlist changes, GitLab documentation outlines how to add projects to the allowlist via the GitLab UI.

To modify the allowlist via the API (REST or GraphQL) see:

Example:

I am the owner of project A and have a dependency on project B. Today, as part of my build process for project A, I use pip to install project B. In project A's .gitlab-ci.yml file, I have the following:

pip install project_b --index-url https://__token__:$CI_JOB_TOKEN@lc.llnl.gov/gitlab/api/v4/projects/123/packages/pypi/simple

In order for the above to continue working, project B will need to add project A to its allowlist.