I use the following simple pipeline (.gitlab-ci.yml):
workflow:
rules:
- if: $CI_COMMIT_TAG =~ /^v?(\d+(\.\d+)*)$/
build:
tags:
- my-tag
script:
- echo "Hello"
I want it to be executed as soon as a commit gets a tag like v1.0. My project has access to an active group runner. The runner is protected. The runner is tagged with my-tag. When I tag a commit on a protected branch with v1.0, the pipeline starts, but the job gets stuck immediately with the following error:
This job is stuck because of one of the following problems. There are no active runners online, no runners for the protected branch, or no runners that match all of the job's tags: my-tag
Go to project CI settings
If I change the pipeline to:
workflow:
rules:
- if: '"1" == "1"'
build:
tags:
- my-tag
script:
- echo "Hello"
It runs successfully on every commit. That's why I think it is not related to the runner configuration as suggested by the error message.
What is the problem, when I use $CI_COMMIT_TAG in the rules?
I am on GitLab 16.9.1 and GitLab Runner 16.9.1.
When evaluating $CI_COMMIT_TAG, the pipeline becomes a tag pipeline as opposed to a branch pipeline. A tag is not aware of a branch it "belongs to". Therefore, the started pipeline does not belong to a protected context and cannot be executed on protected runners.
To solve the problem, you can make your tags protected, too (source):
Configuring protected tags
Prerequisites:
- You must have at least the Maintainer role for the project.
- On the left sidebar, select Search or go to and find your project.
- Select Settings > Repository.
- Expand Protected tags.
- Select Add new.
- To protect a single tag, select Tag, then choose your tag from the dropdown list.
- To protect all tags with names matching a string:
- Select Tag.
- Enter the string to use for tag matching. Wildcards (*) are supported.
- Select Create wildcard.
- In Allowed to create, select roles that may create protected tags.
- Select Protect.
The protected tag (or wildcard) displays in the Protected tags list.