Allow mirror to trigger downstream pipeline in deployment projects
Context
When setting up mirroring, a project access token (PrAT) is created for ops.gitlab.net. All pipelines on the ops project are triggered by this PrAT. This PrAT cannot be used to trigger downstream pipelines.
https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects. Bot users for the tokens cannot be added to any other project. This is a blocker since that would all push mirrors to ops will not auto-trigger the downstream pipeline.
Approach
Essentially, the push mirror needs to use a user account PAT that is a member of the deployment project.
Project access tokens would not fit the bill since it would need to be able to:
- Mirror to the ops repo
- Trigger downstream pipeline
Recent changes with the push-mirror module (https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/gitlab/project/-/merge_requests/31/diffs) will allow us to set PAT for the push mirror.
We could use the ops-gitlab-net user account to generate a PAT or create a new user account (e.g. runway-ops-mirrorring) just for runway's use.
Summary
The PAT is created and placed in ci/gitlab-com/gitlab-com/gl-infra/infra-mgmt/gitlab-com/mirror-tokens/ops-deployed-runway-workloads.
The expiry is in 11 months.