How to set a gitlab CI token in runner with rights to write to repository

Question

I want to tag a build and when trying to push the tags I get the below error in CI

How to create a CI token and set in the build environment which can push tags to the repository.

[01:59:14]: Exit status of command 'git push origin --tags' was 128 instead of 0.
remote: You are not allowed to upload code.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gxx.yy.zz.git/': The requested URL returned error: 403

Answer 1

Starting from GitLab 17.2^[1], you can grant the push/write privilege to gitlab-ci-token for your repository, which is not allowed by default (docs):

To grant permission to job tokens generated in your project to push to the project’s repository:

1. On the left sidebar, select Search or go to and find your project.
2. Select Settings > CI/CD.
3. Expand Job token permissions.
4. In the Permissions section, select Allow Git push requests to the repository.

You can then push changes like this:

  script:
    - ...
    - git config --global user.email "$GITLAB_USER_EMAIL"
    - git config --global user.name "$GITLAB_USER_NAME"
    - git remote set-url --push origin "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
    - git add -A
    - 'git commit -m "refactor: apply changes from pipeline $CI_PIPELINE_ID"'
    - git push origin HEAD:$CI_COMMIT_REF_NAME

---

^{[1] In GitLab 17.2 and later minor releases, this feature is hidden behind a feature flag. You have to enable allow_push_repository_for_job_token to make the option available in the UI. Currently, it is estimated that this feature will become GA in 17.6. For updates, have a look at this issue.}

Answer 2

As Rekovni says,first,you should create personal access token,I use ********************* to refer your personal access token.Then go to setting -> CI/CD -> Variables, add ********************* into Variables,set key name to YOUR_PERSONAL_TOKEN.

Type	Key	Value	Protected	Masked	Environments
Variable	YOUR_PERSONAL_TOKEN	*********************	×	√	All (default)

set git remote url in script like this:

  script:
    - CI_PUSH_REPO=`echo "$CI_REPOSITORY_URL" | sed 's/^.*@/@/g'`
    - git remote set-url --push origin "https://gitlab-ci-token:${YOUR_PERSONAL_TOKEN}$CI_PUSH_REPO"
#   - git push xxx

It works for me

Answer 3

Here are two options you can do:

1. Use a personal access token with write_repository permissions.

   • Save it as a custom CI/CD Variable and ensure it is masked.
   • Use the custom CI/CD variable in your .gitlab-ci.yml file:

   script:
     - git remote add https-origin https://gitlab-ci-token:${YOUR_PERSONAL_TOKEN}@gitlab.com/group/sub-group/project.git
     - git tag <some tag>
     - git push https-origin -o ci.skip refs/tags/<some tag>
   

Note the -o ci.skip to not start a new pipeline, however this depends on your scenario.

This option is definitely better if you create a bot account, so you can better control which repositories the bot account has access to, as otherwise, any maintainer or above can easily retrieve that write_repository key from looking in the settings.

---

2. If you have access to the specific runner which the build is running on via tags, you can use a Deploy Keys which saves you on using a bot account or your own personal access token.

   • This requires an SSH-key to be created on the gitlab-runner machine, and copying it to the repositories Settings -> Repository -> Deploy Keys and pasting the public key within there (and also ticking Write access allowed).
   • You should then be able to use your standard git push origin --tags command as before.

---

GitLab are looking to improve the permission problem in the Epic:

• Make pipeline permissions more controllable and flexible

The specific issue for write_repository using the pipeline token being:

• Allow write_repository scope for pipeline permissions.