diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb
index 956093b972b..abf8407a51c 100644
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -49,7 +49,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
         send_final_spnego_response
         return # Allow access
       end
-    elsif project && download_request? && Guest.can?(:download_code, project)
+    elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
+
       @authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
 
       return # Allow access
@@ -113,4 +114,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
   def ci?
     authentication_result.ci?(project)
   end
+
+  def http_allowed?
+    Gitlab::ProtocolAccess.allowed?('http')
+  end
 end
diff --git a/changelogs/unreleased/dblessing-fix-public-project-ssh-only-ci-failure.yml b/changelogs/unreleased/dblessing-fix-public-project-ssh-only-ci-failure.yml
new file mode 100644
index 00000000000..615a1571e95
--- /dev/null
+++ b/changelogs/unreleased/dblessing-fix-public-project-ssh-only-ci-failure.yml
@@ -0,0 +1,5 @@
+---
+title: Allow CI to clone public projects when HTTP protocol is disabled
+merge_request: 31632
+author:
+type: fixed
diff --git a/spec/controllers/projects/git_http_controller_spec.rb b/spec/controllers/projects/git_http_controller_spec.rb
index bf099e8deeb..88fa2236e33 100644
--- a/spec/controllers/projects/git_http_controller_spec.rb
+++ b/spec/controllers/projects/git_http_controller_spec.rb
@@ -12,4 +12,15 @@ describe Projects::GitHttpController do
       expect(response.status).to eq(403)
     end
   end
+
+  describe 'GET #info_refs' do
+    it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
+      stub_application_setting(enabled_git_access_protocol: 'ssh')
+      project = create(:project, :public, :repository)
+
+      get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+
+      expect(response.status).to eq(401)
+    end
+  end
 end