Loading content/issues/2026-04-20-gitlab-ci-outage.md 0 → 100644 +51 −0 Original line number Diff line number Diff line --- title: GitLab CI containers failures date: 2026-04-20T11:58:39-04:00 resolved: false #resolvedWhen: 2024-11-29 14:04:00 +0000 # Possible severity levels: down, disrupted, notice severity: disrupted affected: # possible services are the `systems:` in `config.yml` - GitLab section: issue --- The GitLab Container Registry is refusing requests to GitLab CI pipelines between projects. This started on Friday, when the GitLab 18.11 upgrade was deployed. We are hoping for a quick fix from upstream, but in the meantime, we need your help! We've found a workaround that requires you to report the failures to us. In [tpo/tpa/team#42595](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42595), we ask that you write a new comment with the following information: - source project: failing project (e.g. `group/failing_project`) - registry project: project it is trying to pull from (e.g. `tpo/tpa/base-images`) - example failed job: URL of the failed job For example, this was our first report: > - source project: Diziet/arti > - registry project: tpo/tpa/base-images > - example failed job: https://gitlab.torproject.org/Diziet/arti/-/jobs/1485144 You might be able to fix this yourself. If you have access to the "registry project" above, you can manually add the source project to the CI/CD job token allowlist of the registry project", by following: 1. Settings 1. CI/CD 1. Job token permissions 1. add the "source project" to the allowlist You MUST keep track of that exception and remove it once this incident is resolved! Normal GitLab operation should be unaffected. GitLab CI still works, it just fails with images from our own registry when accessed across a user/group boundary. For example, the job deploying this site do not have the issue because the operator has access to both `tpo/tpa` and `tpo/web`. Loading
content/issues/2026-04-20-gitlab-ci-outage.md 0 → 100644 +51 −0 Original line number Diff line number Diff line --- title: GitLab CI containers failures date: 2026-04-20T11:58:39-04:00 resolved: false #resolvedWhen: 2024-11-29 14:04:00 +0000 # Possible severity levels: down, disrupted, notice severity: disrupted affected: # possible services are the `systems:` in `config.yml` - GitLab section: issue --- The GitLab Container Registry is refusing requests to GitLab CI pipelines between projects. This started on Friday, when the GitLab 18.11 upgrade was deployed. We are hoping for a quick fix from upstream, but in the meantime, we need your help! We've found a workaround that requires you to report the failures to us. In [tpo/tpa/team#42595](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42595), we ask that you write a new comment with the following information: - source project: failing project (e.g. `group/failing_project`) - registry project: project it is trying to pull from (e.g. `tpo/tpa/base-images`) - example failed job: URL of the failed job For example, this was our first report: > - source project: Diziet/arti > - registry project: tpo/tpa/base-images > - example failed job: https://gitlab.torproject.org/Diziet/arti/-/jobs/1485144 You might be able to fix this yourself. If you have access to the "registry project" above, you can manually add the source project to the CI/CD job token allowlist of the registry project", by following: 1. Settings 1. CI/CD 1. Job token permissions 1. add the "source project" to the allowlist You MUST keep track of that exception and remove it once this incident is resolved! Normal GitLab operation should be unaffected. GitLab CI still works, it just fails with images from our own registry when accessed across a user/group boundary. For example, the job deploying this site do not have the issue because the operator has access to both `tpo/tpa` and `tpo/web`.
