GitLab Branch can't scan subgroups

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      The Jenkins environment used to work perfectly until very recently, when a plugin update completely broke things.

      We have two branch sources very carefully curated to avoid overlaps. A parent group (call it parent-group) is one source, and one of its subgroups (let's call it parent-group/sub-group) is another.

      Scanning for parent-group works just fine, with the same credentials (with access permissions which include read_user, etc.).

      Scanning for parent-group/sub-group fails with the following exception:

      org.gitlab4j.api.GitLabApiException: 403 Forbidden - Not authorized to access /api/v4/users
	at PluginClassLoader for gitlab-api//org.gitlab4j.api.AbstractApi.validate(AbstractApi.java:763)
	at PluginClassLoader for gitlab-api//org.gitlab4j.api.AbstractApi.get(AbstractApi.java:260)
	at PluginClassLoader for gitlab-api//org.gitlab4j.api.UserApi.getUser(UserApi.java:352)
	at PluginClassLoader for gitlab-branch-source//io.jenkins.plugins.gitlabbranchsource.helpers.GitLabOwner.fetchOwner(GitLabOwner.java:40)
Caused: java.lang.IllegalStateException: Unable to fetch User
	at PluginClassLoader for gitlab-branch-source//io.jenkins.plugins.gitlabbranchsource.helpers.GitLabOwner.fetchOwner(GitLabOwner.java:48)
	at PluginClassLoader for gitlab-branch-source//io.jenkins.plugins.gitlabbranchsource.GitLabSCMNavigator.getGitlabOwner(GitLabSCMNavigator.java:208)
	at PluginClassLoader for gitlab-branch-source//io.jenkins.plugins.gitlabbranchsource.GitLabSCMNavigator.getGitlabOwner(GitLabSCMNavigator.java:201)
	at PluginClassLoader for gitlab-branch-source//io.jenkins.plugins.gitlabbranchsource.GitLabSCMNavigator.retrieveActions(GitLabSCMNavigator.java:408)
	at PluginClassLoader for scm-api//jenkins.scm.api.SCMNavigator.fetchActions(SCMNavigator.java:326)
	at PluginClassLoader for branch-api//jenkins.branch.OrganizationFolder.computeChildren(OrganizationFolder.java:481)
	at PluginClassLoader for cloudbees-folder//com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:272)
	at PluginClassLoader for cloudbees-folder//com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:170)
	at PluginClassLoader for branch-api//jenkins.branch.OrganizationFolder$OrganizationScan.run(OrganizationFolder.java:909)
	at hudson.model.ResourceController.execute(ResourceController.java:101)
	at hudson.model.Executor.run(Executor.java:454)

      If I remove the /sub-group bit, the problem goes away.

      Clearly this has been working for over a year, so it's very strange for it to suddenly start failing like this. As I mentioned: the PAT in use works just fine with the parent project.

      UPDATE : Upon further investigation, it appears that the issue may have to do with the slash ( / ) in the subgroup separation is getting incorrectly URL-encoded as %2F:

      #
# From GitLab's logs
#
172.20.7.65 - - [09/Oct/2025:07:26:12 +0000] "GET /api/v4/groups/parent-group%2Fsub-group HTTP/1.1" 404 33 "" "Jersey/2.47 (HttpUrlConnection 21.0.8)" -
172.20.7.65 - - [09/Oct/2025:07:26:12 +0000] "GET /api/v4/groups/parent-group%2Fsub-group HTTP/1.1" 404 33 "" "Jersey/2.47 (HttpUrlConnection 21.0.8)" -
172.20.7.65 - - [09/Oct/2025:07:26:12 +0000] "GET /api/v4/users?username=parent-group%2Fsub-group&page=1&per_page=1 HTTP/1.1" 403 68 "" "Jersey/2.47 (HttpUrlConnection 21.0.8)" -

      Cheers!

            Assignee:
            Parichay Barpanda
            Reporter:
            Diego
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: