Starting with GitLab 16.3 and later versions, security settings often restrict which projects can be accessed via a job token. If your runner is trying to download code from a different project (e.g., a submodule or a dependency), that project must explicitly allow the job token's source project.
If a project is set to , runners may fail if they cannot authenticate properly with the provided token.
In the project you are trying to download code from, go to Settings > CI/CD > Job token permissions (or Token Access in older versions) and add the source project to the allowlist. 3. Issues with Private/Internal Repository Settings Starting with GitLab 16
Some users found that changing project visibility to Internal or ensuring all runners are registered with appropriate access solved the issue, though setting it to "Internal" is less secure than fixing token permissions. 4. Outdated Runner or Cached Credentials
Try clearing the build directory on the runner or setting GIT_STRATEGY: clone in your .gitlab-ci.yml to force a fresh clone instead of a fetch. Troubleshooting Steps Runner can't pull code from server - GitLab CI/CD In the project you are trying to download
GitLab's permission model requires that the user who triggers the pipeline must have at least the role in the project. Even if you are an Administrator, you may still need to be explicitly added as a member of the specific project to grant the runner access.
On runners using the , an existing build directory might contain an outdated CI_JOB_TOKEN in its .git/config from a previous run. Even if you are an Administrator
Navigate to Settings > Members in your project and ensure the triggering user has the Reporter or Maintainer role. 2. CI/CD Job Token Allowlist (GitLab 16+ and 17+)