CI Job Token forbidden for tags API when repository is private

According to the docs the Tags API should support authenticated requested using a CI Job Token.

That's the case when the repository is available to everyone on a project. That is, the following setting is configured Settings → General → Visibility, project features, permissions → Repository to Everyone with access

We can confirm this with the following job in the same project (make sure the tag 1.0.0 exists):

tags-ci-job-token:
  image: alpine
  script:
    - apk add curl
    - 'curl --header "Job-Token: $CI_JOB_TOKEN" --url "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/tags"'
    - 'curl --header "Job-Token: $CI_JOB_TOKEN" --url "$CI_API_V4_URL/projects/$CI_PROJECT_ID/repository/tags/1.0.0"'

However, when the aforementioned setting is changed to Settings → General → Visibility, project features, permissions → Repository to Only Project Members then the second curl command fails with a 403 Forbidden.

My assumption would be that the CI Job Token can be used independently of the visibility of the repository in a project.

This came up in cli#7859 (comment 2733841616).

Edited Sep 08, 2025 by 🤖 GitLab Bot 🤖