Split tokens for reading and writing
See https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/18945
For improvement of security the tokens that read from the API and write to the gl-retrospectives group should be split, instead of having one token that can read and write to the whole API.
There are now two available token variables in the CI config:
-
$GITLAB_BOT_API_TOKEN
which has read permission on all of GitLab, so that issues and MRs can be collated/counted. -
$GITLAB_WRITE_API_TOKEN
which has write permission to one group (gl-retrospectives
) and handles the creation and update of issues, discussions, etc within that group.