sourcebot-dev · brendan-kellam · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- [EE] Fixed issue where internal GitLab projects were not visibile in Sourcebot when permission syncing is enabled. [#857](https://github.com/sourcebot-dev/sourcebot/pull/857)
+
 ## [4.10.26] - 2026-02-05
 
 ### Added

diff --git a/packages/backend/src/ee/accountPermissionSyncer.ts b/packages/backend/src/ee/accountPermissionSyncer.ts
@@ -247,16 +247,15 @@ export class AccountPermissionSyncer {
                     throw new Error(`OAuth token with scopes [${scopes.join(', ')}] is missing the 'read_api' scope required for permission syncing.`);
                 }
 
-                // @note: we only care about the private and internal repos since we don't need to build a mapping
-                // for public repos.
+                // @note: we only care about the private repos since we don't need to build a
+                // mapping for public or internal repos. Note that internal repos are _not_
+                // enforced by permission syncing and therefore we don't need to fetch them
+                // here.
+                // 
                 // @see: packages/web/src/prisma.ts
-                const privateGitLabProjects = await getProjectsForAuthenticatedUser('private', api);
-                const internalGitLabProjects = await getProjectsForAuthenticatedUser('internal', api);
-
-                const gitLabProjectIds = [
-                    ...privateGitLabProjects,
-                    ...internalGitLabProjects,
-                ].map(project => project.id.toString());
+                const gitLabProjectIds = (
+                    await getProjectsForAuthenticatedUser('private', api)
+                ).map(project => project.id.toString());
 
                 const repos = await this.db.repo.findMany({
                     where: {

diff --git a/packages/backend/src/gitlab.ts b/packages/backend/src/gitlab.ts
@@ -303,7 +303,6 @@ export const getProjectMembers = async (projectId: string, api: InstanceType<typ
 export const getProjectsForAuthenticatedUser = async (visibility: 'private' | 'internal' | 'public' | 'all' = 'all', api: InstanceType<typeof Gitlab>) => {
     try {
         const fetchFn = () => api.Projects.all({
-            membership: true,
             ...(visibility !== 'all' ? {
                 visibility,
             } : {}),

diff --git a/packages/backend/src/repoCompileUtils.ts b/packages/backend/src/repoCompileUtils.ts
@@ -170,7 +170,13 @@ export const compileGitlabConfig = async (
         const cloneUrl = new URL(project.http_url_to_repo);
         cloneUrl.protocol = new URL(hostUrl).protocol;
         const isFork = project.forked_from_project !== undefined;
-        const isPublic = project.visibility === 'public';
+        // @note: we consider internal repos to be `public` s.t.,
+        // we don't enforce permission filtering for them and they
+        // are visible to all users.
+        // @see: packages/web/src/prisma.ts
+        const isPublic =
+            project.visibility === 'public' ||
+            project.visibility === 'internal';
         const repoDisplayName = project.path_with_namespace;
         const repoName = path.join(repoNameRoot, repoDisplayName);
         // project.avatar_url is not directly accessible with tokens; use the avatar API endpoint if available