Support Preparedness 18.0 - Enforcement - Job Token Allowlist

Summary

The CI Job token allowlist will be enforced starting in 18.0.

Links to Change:

• Deprecation notice
• Related epic

Product or Development DRI:

• Product or Development DRI: @jocelynjane
• Support DRI: @pmurray7 @ndesilva @manuelgrabowski

Impact Assessment

• Impact at this point should be fairly low. Allowlists will be automatically populated based on usage analysis, meaning that for most customers this should be a invisible transition.
• There might be edge cases (mainly when customers have pipelines running very infrequently and thus these authentication events would not have been caught by our tooling).
• Some people might be confused about the automatic nature of the migration and have questions.
• Self-managed and/or Dedicated customers also have the option to disable the enforcement via an Admin Area setting

Mitigations/Workarounds

• Refer to deprecation notice for how customers can/should prepare.
  • Customers can be proactive and transfer the authentication log to their allowlist ahead of the automatic transfer. This is detailed in the deprecation notice as well.
• For edge cases: Customers might have to manually add projects/groups to some allowlists to make things work again.
• For concerned customers who feel that the automatic migration is invasive, there is a rollback option that allows them to remove the entries from their allowlist that had been added based on the authentication log. This tooling will be available until 18.3.
  • The entries that were populated from the authentication log have a visual indicator (see design here) to distinguish them from entries that customers added manually themselves.