Reputation: 3488
How to include CI_JOB_TOKEN in Dockerfile on gitlab?
I'm having an issue where I seem to be struggling to pass the CI_JOB_TOKEN around my CI/CD flow so that I can download private gitlab npm modules from my Dockerfile.
my files look like this:
gitlab-ci.yml
image: tmaier/docker-compose:latest
variables:
CI_JOB_TOKEN: ${CI_JOB_TOKEN}
stages:
- build
build:
stage: build
script:
- docker-compose build --build-arg CI_JOB_TOKEN=${CI_JOB_TOKEN}
- docker-compose push --arg CI_JOB_TOKEN=${CI_JOB_TOKEN}
docker-compose.yml
services:
qa-service:
build:
context: .
args:
PORT: 3000
CI_JOB_TOKEN: ${CI_JOB_TOKEN}
Dockerfile
FROM ubuntu:latest
ARG CI_JOB_TOKEN
RUN npm install \
"git+https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/xxx/yyy.git"
I keep getting this error
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t https://gitlab-ci-token:%24%7BCI_JOB_TOKEN%[email protected]/xxx/yyy.git
npm ERR!
npm ERR! remote: HTTP Basic: Access denied
npm ERR! fatal: Authentication failed for 'https://gitlab-ci-token:%24%7BCI_JOB_TOKEN%[email protected]/xxx/yyy.git/'
npm ERR!
npm ERR! exited with error code: 128
Upvotes: 6
Views: 11762
Answers (2)
Reputation: 31
Not sure whether this is still relevant, but I've figured out, that for some reason one has to declare an ENV named CI_JOB_TOKEN as well (In this case in combination with maven), otherwise there will be an authentication failure, e.g. when trying to access the GitLab maven repository.
As a workaround, I suggest using a multi-stage build, so the CI_JOB_TOKEN won't be present in the final image, i.e.:
ARG CI_JOB_TOKEN
FROM maven:alpine as build
ENV CI_JOB_TOKEN=$CI_JOB_TOKEN
COPY . .
RUN mvn package -s ci_settings.xml
FROM java:8-jre-alpine
COPY --from=build PATH/TO/app.jar /app.jar
CMD exec java -jar /app.jar
This way the CI_JOB_TOKEN was successfully recognized as an environment variable and this I didn't get a 401 error anymore, when trying to access the GitLab maven repository.
I assume that this will also solve your problem and it's probably not a restriction of GitLab CI, but rather related to the way build arguments work in Docker.
Of course you will have to adapt these steps to your particular use-case.
Upvotes: 3
Reputation: 7374
From what I can tell from your CI script, the variable syntax should be:
image: tmaier/docker-compose:latest
variables:
CI_JOB_TOKEN: $CI_JOB_TOKEN
ie $CI_JOB_TOKEN, not ${CI_JOB_TOKEN}.
You also do not need to use the variables section to define the CI_JOB_TOKEN, and just use $CI_JOB_TOKEN wherever you need it instead, as it is already a predefined variable.
As from the documentation.
Upvotes: 0
Related Questions
- How to pass GitLab CI file variable to Dockerfile and docker container?
- Docker run in gitlab-ci
- How can I pass the gitlab job token into a docker build without causing a cache miss?
- Gitlab Pipeline Job Token Fail
- Getting the GitLab runner registration token from the command line
- Gitlab DOCKER_AUTH_CONFIG not working
- Gitlab: How to pass CI_JOB_TOKEN to Docker to be used with maven?
- How to pass GitLab CI file variable to docker container?
- GitLab CI invalid argument on job for Docker build
- Passing creds to gitlab-ci runner to be able to push docker image…?