GitLab now has nice feature called "Releases". You can define "release" as combination of "tag + some description + some URLs" and it will be shown on "Releases" and "Tags" pages of your project. GitLab doc says:

we recommend doing this as one of the last steps in your CI/CD release pipeline

But, wait! CI/CD job by default has no access to API calls or write to git repository. We can configure "deploy token" or "deploy key" for access to repository and use them (via "secret variables") in build scripts. But neither "deploy token", nor "deploy key" give access to API.

So, we can't create release from CI/CD job using its environment variables, we can't use deploy tokens, we can't use deploy keys. So, what exactly GitLab suggests us to do when it says: "we recommend doing this as one of the last steps in your CI/CD release pipeline" ?

This question has an open bounty worth +50 reputation from Ezh ending tomorrow.

This question has not received enough attention.


This previous question highlighted the same issue, pointing out you need to access in your CI/CD release pipeline to (from doc)

  • either OAuth2 tokens
  • Personal access tokens
  • Session cookie

This is not limited to release.
As seen in gitlab-ce issue 61108: "Allow tags to be managed with CI_JOB_TOKEN"

However, it turns out that tags cannot be removed by simply using the CI_JOB_TOKEN.
Instead I would need to have create an access token and pass this as CI variable to be able to call this API from within the CI jobs.

Other examples:

  • gitlab-ce issue 60643: "Download releases using deploy tokens."
  • gitlab-ce issue 58235: "Allow JOB_TOKEN to access Releases API"

However, it turns out the call to this REST API does not work with the JOB_TOKEN header but only with the PRIVATE_TOKEN.
Is this limitation intended?

I don't want to maintain extra Private tokens just for manipulating the assets of the release.

That means for now (June 2019), maintaining an extra Private token, and passing it as CI variable might be the only available workaround, pending those issues to be resolved.
That would use, I supposed, a masked variable (GitLab 11.0+)

  • So the answer is "there is no answer" (extra private token is bad solution for many reasons). – Ezh 11 hours ago
  • @Ezh Yes, for now there is no direct way to use the GitLab Releases API from a CI/CD release pipeline. – VonC 9 hours ago

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.