'Gitlab CI_JOB_TOKEN permissions to read package registry of other project

I am trying to use Gitlab as my new private npm package registry. I can publish my npm package (a library) to the projects registry using the CI_JOB_TOKEN. The problem: I can't read that package using npm ic in a Gitlab ci job of another project.

The hierarchy of groups/sub-groups/projects is

  • group/
    • lib-project
    • apps/
      • app-project

The error in the app-projects ci job is

   npm ERR! code E404
   npm ERR! 404 Not Found - GET https://my.gitlab.com/api/v4/projects/6/packages/npm/@group%2flib-project
   npm ERR! 404 
   npm ERR! 404  '@group/lib-project@^1.0.1' is not in this registry.

When I try the URL https://my.gitlab.com/api/v4/projects/6/packages/npm/@group%2flib-project in my browser (logged in as the owner of those projects) I get info about the package, so the package is there.

When I try the same URL without being logged in I get {"message":"404 Project Not Found"}

So it seems it is a problem with the CI_JOB_TOKEN not having the permission to read from another project but it seems pretty common to use one GitLab project as registry (used by other projects). And it seems to be ok to use the CI_JOB_TOKEN to authenticate regarding to the GitLab docs. Any hint what I'm doing wrong?

gitlabgitlab-ci


Solution 1:[1]

My CI_JOB_TOKEN does have the right permissions. The problem was a copy/paste error in my .gitlab-ci.yml and therefore in my npm config:

echo "@scope:registry=https://my.gitlab.com/api/v4/projects/6/packages/npm/">>.npmrc
echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">>.npmrc

The first (hardcoded) path to the registry is right but the second line is evaluated to a different path. Of course the ${CI_PROJECT_ID} contains the project-id of the app project when I build the app. The library package is published to the library project (the hardcoded project-id / 6 in the first line).

Solution 2:[2]

You can configure the GitLab npm registry for the @group namespace using a .npmrc file:

@group:registry=https://my.gitlab.com/api/v4/projects/6/packages/npm/
//my.gitlab.com/api/v4/projects/6/packages/npm/:_authToken=${CI_JOB_TOKEN}

To avoid hard-coding the authToken value in the file, you can use the npm config set command to add the token to the file:

npm config set -- '//gitlab.example.com/api/v4/projects/6/packages/npm/:_authToken' "${CI_JOB_TOKEN}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 andymel
Solution 2 Glen Thomas

Related Questions

How to backup/export Gitlab CI environment variables?

clone an existing project in gitLab

gitlab-ce 12.X : how do I find the hashed storage path of a repository on the server?

Lighthouse GitLab CI for a Jekyll website times out

git ignore .env files not working

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Retrieving a CI variable from Gitlab project and use it within Dockerfile

How to git clone with username and password in gitlab?

Script command using ":" causing error in .gitlab-ci.yml execution

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How to step into NuGet packages outside of debug session

Gitlab-CI with Docker executor /usr/bin/bash: line 90: git: command not found

How to limit a job in gitlab ci to a tag matching a pattern?

SSH-Key not recognized "receive packet: type 51" in Gitlab-CE