'Including' private project file using `$CI_JOB_TOKEN`

Question

What I got so far is, it is possible to Authenticate with Personal Access Token and include external CI script but a cleaner approach would be

Answer 1

Still there is no support for the CI_JOB_TOKEN to have a useful API access. But they are working on it https://gitlab.com/groups/gitlab-org/-/epics/3559

Answer 2

Unfortunately, CI_JOB_TOKEN is very limited in scope. As of today (GitLab 11.0), you can only do two things with it:

• Authenticate with the GitLab Container (Docker) Registry
• Authenticate to trigger a multi-project pipeline (EE only)

References:

• https://docs.gitlab.com/ce/ci/variables/
• https://docs.gitlab.com/ee/ci/variables/

So you cannot use CI_JOB_TOKEN to download a file from another repository, neither via the raw endpoint (/raw/<ref>/<path>) nor the API.

Unfortunately, deploy keys don't help either -- they are only for SSH.

The only workable solution I've come up with is to use a separate user:

• Create a new user with Reporter role.
• Create a personal access token (/profile/personal_access_tokens) for that user with api and read_repository rights.
• Add this token as a secret variable in the project CI/CD settings. Call it e.g. BUILD_USER_TOKEN.
• Use $BUILD_USER_TOKEN in your CI script to access the API or project files.

This is a huge hack, and I really hope to see GitLab make CI_JOB_TOKEN a first-class, read-only (?) token with rights to specified resources.