Use CI_JOB_TOKEN instead of DEPLOY_TOKEN to create releases
From @tmaczukin
:
With 14.1 creation of the release will require a protected tag push permission. The rollout of this change will be started at Monday. We're currently using a
@gitlab-bot
token for that and the bot is not permitted to create protected tags in our projects. However, the release since a long time can be used with the CI_JOB_TOKEN. This will of course use the permission of job's author, but the GitLab Release jobs should already be limited to people that have such permission. The change should be quite simple - our scripts that are using --header "PRIVATE-TOKEN: ${DEPLOY_TOKEN}" should be replaced with --header "PRIVATE-TOKEN: ${CI_JOB_TOKEN}".
Once this change is merged, we should:
-
Remove DEPLOY_TOKEN
from the project variables. -
Remove DEPLOY_TOKEN
from the security fork variables. -
Remove DEPLOY_TOKEN
from the docker-machine project variables. -
Remove DEPLOY_TOKEN
from the autoscaler project variables. -
Remove DEPLOY_TOKEN
from the fargate project variables. -
Remove DEPLOY_TOKEN
from the runner-release-helper project variables. -
Remove DEPLOY_TOKEN
from the gitlab-changelog project variables. -
Remove DEPLOY_TOKEN
from the release-index-generator project variables.
Edited by Pedro Pombeiro