Skip to main content
Stack Overflow
  1. About
  3. For Teams

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Required fields*

How do you install debian packages from a GitLab package registry using a CI job token?

I followed the instructions to set up a Debian package registry for my GitLab project.

  • ✔️ I enabled the API
  • ✔️ I created a distribution
  • ✔️ I uploaded packages

Now I have a CI job that needs to pull these packages from the registry. I followed the instructions and tried this in my CI job:

curl --fail-with-body --header "Job-Token: ${CI_JOB_TOKEN}" "https://<my-gitlab-url>/api/v4/projects/45/debian_distributions/<my-codename>/key.asc" | gpg --dearmor | tee /usr/local/share/keyrings/<my-codename>-archive-keyring.gpg > /dev/null
apt-get update

I also added this to the sources.list file:

deb [ signed-by=/usr/local/share/keyrings/<my-codename>-archive-keyring.gpg ] https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> main

Finally, I created /etc/apt/auth.conf.d/sources.conf with:

echo "machine <my-gitlab-url> login gitlab-ci-token password ${CI_JOB_TOKEN}" > /etc/apt/auth.conf.d/sources.conf

However, when apt-get update actually runs, I get the following output:

Err:5 https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codeame> InRelease
 401 Unauthorized [IP: 10.0.0.5 443]
Reading package lists...
E: Failed to fetch https://<my-gitlab-url>/api/v4/projects/45/packages/debian/dists/<my-codename>/InRelease 401 Unauthorized [IP: 10.0.0.5 443]
E: The repository 'https://<my-gitlab-url>/api/v4/projects/45/packages/debian <my-codename> InRelease' is not signed.

Based on the fact that it says Unauthorized, I think something is wrong with the authentication. Maybe the CI_JOB_TOKEN does not work. I tried doing this manually outside the CI using a personal access token and it did work.

Update

I added this to my .gitlab-ci.yml file

- echo "${CI_JOB_TOKEN:1}"
- echo "${CI_JOB_TOKEN::-1}"

so that I could snoop on the CI_JOB_TOKEN, then while the job was running I manually entered it in the /etc/apt/auth.conf.d/sources.conf file on my computer and apt-get update worked while the job was running. After the job ended, apt-get update no longer worked since the token expired (as expected). So the process works with the token, but for some reason it does not work in the CI...

Answer*

Draft saved
Draft discarded
Cancel

AltStyle によって変換されたページ (->オリジナル) /