Allow `$CI_JOB_TOKEN` on all the Jobs Artifacts API download endpoints

Specifically, the "download all artifact from this job ID" and the "download all artifact from the last successful run of this job name on this branch name" endpoints allowed this, but the "download a single artifact file from this job ID" and "download a single artifact file from the last successful run of this job name on this branch name" endpoints didn't. This makes all of them behave the same way with $CI_JOB_TOKEN.

Allow `$CI_JOB_TOKEN` on all the Jobs Artifacts API download endpoints
Specifically, the "download all artifact from this job ID" and the "download all artifact from the last successful run of this job name on this branch name" endpoints allowed this, but the "download a single artifact file from this job ID" and "download a single artifact file from the last successful run of this job name on this branch name" endpoints didn't. This makes all of them behave the same way with $CI_JOB_TOKEN.
aa2caa54 · Eric Engestrom · d071b6ae · aa2caa54 · aa2caa54 · aa2caa54
Commit aa2caa54 authored Feb 24, 2021 by Eric Engestrom
3 changed files
--- a/changelogs/unreleased/add-ci-job-token-job-artifacts.yml
+++ b/changelogs/unreleased/add-ci-job-token-job-artifacts.yml
+---
+title: Allow `$CI_JOB_TOKEN` to access the "Download a single artifact file" endpoints of the Jobs Artifacts API.
+merge_request: 55042
+author: Eric Engestrom @1ace
+type: changed
--- a/doc/api/job_artifacts.md
+++ b/doc/api/job_artifacts.md
@@ -128,7 +128,8 @@ Possible response status codes:

 ## Download a single artifact file by job ID

-> Introduced in GitLab 10.0
+> - Introduced in GitLab 10.0.
+> - The use of `CI_JOB_TOKEN` in the artifacts download API was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55042) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10.

 Download a single artifact file from a job with a specified ID from inside
 the job's artifacts zipped archive. The file is extracted from the archive and
@@ -145,6 +146,7 @@ Parameters
 | `id`            | integer/string | yes      | ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user. |
 | `job_id`        | integer        | yes      | The unique job identifier.                                                                                       |
 | `artifact_path` | string         | yes      | Path to a file inside the artifacts archive.                                                                     |
+| `job_token` **(PREMIUM)** | string | no     | To be used with [triggers](../ci/triggers/README.md#when-a-pipeline-depends-on-the-artifacts-of-another-pipeline) for multi-project pipelines. It should be invoked only inside `.gitlab-ci.yml`. Its value is always `$CI_JOB_TOKEN`. |

 Example request:

@@ -162,7 +164,8 @@ Possible response status codes:

 ## Download a single artifact file from specific tag or branch

-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/23538) in GitLab 11.5.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/23538) in GitLab 11.5.
+> - The use of `CI_JOB_TOKEN` in the artifacts download API was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55042) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10.

 Download a single artifact file for a specific job of the latest successful
 pipeline for the given reference name from inside the job's artifacts archive.
@@ -185,6 +188,7 @@ Parameters:
 | `ref_name`      | string         | yes      | Branch or tag name in repository. `HEAD` or `SHA` references are not supported.                              |
 | `artifact_path` | string         | yes      | Path to a file inside the artifacts archive.                                                                 |
 | `job`           | string         | yes      | The name of the job.                                                                                         |
+| `job_token` **(PREMIUM)** | string | no     | To be used with [triggers](../ci/triggers/README.md#when-a-pipeline-depends-on-the-artifacts-of-another-pipeline) for multi-project pipelines. It should be invoked only inside `.gitlab-ci.yml`. Its value is always `$CI_JOB_TOKEN`. |

 Example request:


--- a/lib/api/job_artifacts.rb
+++ b/lib/api/job_artifacts.rb
@@ -45,6 +45,7 @@ module API
        requires :job, type: String, desc: 'The name for the job'
        requires :artifact_path, type: String, desc: 'Artifact path'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/jobs/artifacts/:ref_name/raw/*artifact_path',
          format: false,
          requirements: { ref_name: /.+/ } do
@@ -84,6 +85,7 @@ module API
        requires :job_id, type: Integer, desc: 'The ID of a job'
        requires :artifact_path, type: String, desc: 'Artifact path'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/jobs/:job_id/artifacts/*artifact_path', format: false do
        authorize_download_artifacts!