Administrators can not erase jobs for protected branches unless they are project members
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
As of GitLab 16.3(?) (or earlier) it is not possible for administrators to erase jobs on protected branches (either via API or UI) unless they are invited as project members. This was working before and this function was used in our housekeeping scripts.
Steps to reproduce
UI:
- Login as Administrator
- Open the job page for a job that ran for a protected branch in any project where the Administrator is not a member.
API:
- Create a personal access token for the administrator account
- Call the Erase a job API with this token (https://docs.gitlab.com/ee/api/jobs.html#erase-a-job) for a job that ran for a protected branch in a project where the administrator is not a member:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/jobs/1/erase"What is the current bug behavior?
UI:
The button Erase job log and artifacts is missing.
API:
The API request fails with 403 Forbidden.
What is the expected correct behavior?
I'm not sure if this is (now) the intended behaviour. While investigation this "bug" I came down on issue #214716 Allow instance's admin to delete builds on protected branch where the expected functionality was added.
This was rolled back in #416897 Admin user without permission on protected branch can retry jobs with commit commit 21249c1a.
I've also found a similar issue: #428273 Administrator Personal Access Tokens cannot create or update items via the Protected Branches API unless they are invited as a project member.
Besides this, I'd expect:
UI:
I'd expect to see the Erase job log and artifacts button.
API:
The API request deletes the job log and returns a 200 status code.
Additional testing / workarounds
Adding the administrator (or "instance admins") to the project brings the expected behavior.