Update `Secure CI_JOB_TOKEN` settings in preparation for 17.0
Problem statement
A breaking change scheduled for the 17.0 release will change the Secure CI_JOB_TOKEN
behavior to default to on for all projects and disable the ability to toggle it. Each project will have a list of allowed inbound triggering projects, and only those can generate a multi-project pipeline. See gitlab-org/gitlab#335465 for full details.
Proposal
To try and help connect any impact of this change to the work, I suggest we anticipate enabling the Secure CI_JOB_TOKEN
working project by project.
Setting can be found in: project -> Settings -> CI/CD -> Tokens Access
How to identify downstream projects?
For each project we own, we can have an hint of where to start looking for downstream project by the following command:
git grep -n -A 6 CI_JOB_TOKEN
Note, we removed one detection method after tests confirmed that the triggers
configuration in CI are not impacted:
Old information
For each project we own, we can have an hint of where to start looking for downstream project by the following commands: #2951 (comment 1870157818)
git grep -n -A 6 trigger:
git grep -n -A 6 CI_JOB_TOKEN
The first one should identify gitlab-ci.yml triggers, and the last one, code usages of the triggering token.
inbound policies
https://ops.gitlab.net/gitlab-org/release/tools - gitlab-org/release/tools
release tools on OPS requires inbound policy from the following projects:
-
https://ops.gitlab.net/gitlab-com/gl-infra/deployer -
https://ops.gitlab.net/gitlab-com/gl-infra/k8s-workload/tanka-deployments -
https://ops.gitlab.net/gitlab-org/quality/staging -
https://ops.gitlab.net/gitlab-org/quality/staging-canary -
https://ops.gitlab.net/gitlab-org/quality/canary -
https://ops.gitlab.net/gitlab-org/quality/production
Status
Status Thread
2024-05-03
With everything merged, we can now close this issue. Any lingering objects where we consume the CI_JOB_TOKEN
are also using the preferred trigger token instead. For all projects we leverage, the option Limit access to this project
is now enabled!