remote: HTTP Basic: Access denied downloading local repo in gitlab

Question

There a lot of discussion on this topic, I read a lot but I cannot figure out what I'm doing wrong.

Gitlab version 14.5.2

Gitlab runner version: 14.5.1 and running as shell

2FA is enabled and I have created my access token; I'm trying to compile a Golang program that use a library in my gitlab repo. Here my yml file

variables:
  REPOSITORY: $CI_REGISTRY/acme/test/master

before_script:
  - export PATH=$PATH:/usr/local/go/bin
  - docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
  - go env -w GOOS=linux
  - go env -w GOARCH=amd64
  - go env -w GOPRIVATE=gitlab.acme.com

build_image:
  script: 
    - ssh-keyscan -t rsa gitlab.acme.com >> ~/.ssh/known_hosts
    - echo -e "machine gitlab.acme.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > ~/.netrc
    - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.acme.com/".insteadOf git://gitlab.acme.com/
    - go mod download
    - go build
    - docker build -f Dockerfile -t $REPOSITORY:latest .
    - docker push $REPOSITORY:latest
    - docker rmi $(docker images $REPOSITORY -a -q)
    - rm $HOME/.netrc

The result is this:

go mod download: gitlab.acme.com/datamanent/go-commons@v0.0.0-20211221151250-f0220d428461: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /home/gitlab-runner/go/pkg/mod/cache/vcs/c9ecbc2c20382f733e0a04c852c63cb9a78c5166f9ae2d25864a2d7728490ddb: exit status 128:
    remote: HTTP Basic: Access denied
    fatal: Authentication failed for 'https://gitlab.acme.com/test/go-commons.git/'
Cleaning up project directory and file based variables

If I don't use an internal lib, compile is fine and push in gitlab registry is ok as well. If I try to clone the repo instead of doing go mod download, doing this:

- git clone git@gitlab.acme.com:test/go-commons.git

Of course it doesn't work I got this message:

cloning into 'go-commons'...
Permission denied, please try again.
Permission denied, please try again.
git@gitlab.acme.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Cleaning up project directory and file based variables

--------------- UPDATE ---------------

Thanks to @VonC I change the git directive to

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.acme.com/".insteadOf \
                    git@gitlab.acme.com:

unfortunately this was still not enough, and it was really weird, so I add to the pipeline cat $HOME/.gitconfig I wanted to see if it was correctly added the directive. And what I see was that there were a lots of entries, most likely everytime I tried the pipeline, stupid me, I thought the file went away everytime I run the CI (but I'm in shell not in docker), so I delete it and now works.

Answer 1

In your test, you tried to clone using an SSH URL git@gitlab.acme.com:..., which did not work.
Replacing it be an HTTPS with credentials (including a token, to pass 2FA) would make sense.

But in your git config, you replace a Git URL git://gitlab.acme.com/ (not an SSH URL).

Try and display $REPOSITORY first, to double check if it is an SSH or Git URL.
Because if it is an SSH one, you would need an InsteadOf directive like:

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.acme.com/".insteadOf \
                    git@gitlab.acme.com:

The OP NiBE adds

I added to the pipeline cat $HOME/.gitconfig: I wanted to see if it was correctly added the directive.

And what I see was that there were a lots of entries, most likely every time I tried the pipeline (I thought the file went away everytime I run the CI, but I'm in shell not in docker).

So I delete it and now works.