0

Given 2 gitlab.com projects on a Free Tier:

  • A Source project contains some packages in its "Package Registry" (example id: 12345678),
  • A Consumer project have a CI pipeline, which job executes a yarn install requiring a npm package from the Source project's Package Registry.

The install fails because the Consumer project does not seem to have the right permission to access the Source project's package registry.

An unexpected error occurred: "https://gitlab.com/api/v4/projects/12345678/packages/npm/@myscope/mypackage/-/@myscope/mypackage-1.0.0.tgz: Request failed \"404 Not Found\"".

This is characteristic of a missing permission (gitlab indicates a 404 instead of a 403). The package does exist and is accessible via this URL, when connected with the right permissions.

How can I set things so that the Consumer project's pipeline can reach the Source project's registry?

Improve this question

1 Answer 1

Reset to default
1

We can achieve this by using the special variable $CI_JOB_TOKEN created automatically by Gitlab for the sole duration of each pipeline execution.

This token allows access from the Consumer project, whose pipeline is executing, to the Source project, given the Source project allows it (see below).

Consumer project CI pipeline

In the phase needing access to the package in .gitlab-ci.yml, add:

before_script: - echo "@package-scope:registry=https://gitlab.com/api/v4/projects/12345678/packages/npm/" > .npmrc - echo "//gitlab.com/api/v4/projects/12345678/packages/npm/:_authToken=${CI_JOB_TOKEN}" >> .npmrc # replace 12345678 by the Source project id on gitlab

Note: if your Consumer project already contains a .npmrc file, you can replace the first echo line by:

- echo >> .npmrc # this ensure the next echo line will be in a separate line

Authorization from the Source project

The Source project, containing the packages the Consumer pipeline needs to access, must be in the same group than the Consumer project. Additionally, explicit authorization must be given to each Consumer project.

In Gitlab > Source project > Settings > CI/CD > Token Access:

  • make sure “Limit access to this project” is checked (for security)

  • in “Allow CI job tokens from the following projects to access this project”, add a Consumer project using its path (for a project hosted on https://gitlab.com/mycompany/mygroup/myproject, use mycompany/mygroup/myproject)

If using Docker

If the Consumer pipeline includes the build of a Docker image, the Docker build environment needs to authenticate against the Source project to access its package. Leverage the $CI_JOB_TOKEN to do so.

Dockerfile

ARG PACKAGE_REGISTRY_TOKEN ... RUN echo "@package-scope:registry=https://gitlab.com/api/v4/projects/12345678/packages/npm/" > .npmrc # or `RUN echo >> .npmrc` if you copied the .npmrc in the build context RUN echo "//gitlab.com/api/v4/projects/12345678/packages/npm/:_authToken=${CI_JOB_TOKEN}" >> .npmrc # replace 12345678 by the Source project id on gitlab RUN yarn install # Remove the .npmrc after (not needed anymore) RUN rm -f .npmrc

.gitlab-ci.yml

In each occurrence of docker build, add the argument:

docker build ... --build-arg PACKAGE_REGISTRY_TOKEN="${CI_JOB_TOKEN}" ...
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.