Agent authorization for private manifest projects

Problem to solve

As an agent "owner", I want a way to allow the agent access to manifest projects, without me personally having access to those projects.

As a manifest project owner, I want a way to allow the agent access to my manifest project, without allowing read access to others.

Intended users

• Devon (DevOps Engineer)
• Allison (Application Ops)
• Priyanka (Platform Engineer)

User experience goal

Be able to allow access to a specific agent in a project's settings.

A manifest project maintainer goes into a project settings, and allows a specific agent (defined by configuration project name and agent id) access to that repository.

For this to work the manifest project maintainer needs at least reporter access to the configuration project to get a list of available configuration projects.

Proposal

As discussed with @ash2k, we don't need any tokens. By code we could access any repository with the agent, we just need a way to allow the user to give us access to a specific project. Currently, we're restricting ourself to public projects on purpose.

1. Authorize the project if it's the agent's project => !48314 (merged)
2. Utilize Deploy Tokens. See #268019 (closed)

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

Adoption increases. Right now, there is low likelihood of serious adoption as only public projects can be used with this feature

What is the type of buyer?

Is this a cross-stage feature?

Links / references