Allow `write_repository` scope for pipeline permissions

Problem to solve

Pipelines currently use the security access of the user running the pipeline (via their personal access token or PAT) but hard-coded limitations prevent destructive actions such as writing to the repository, writing to the registry, access to the API, and so on, even if the PAT was granted these "scopes".

There needs to be a way for project administrators to grant these scopes to a "resource" (such as a project or group) to allow pipelines to perform these actions, while ensuring the pipeline permissions never exceeds the permissions of the user running the pipeline.

Intended users

Sasha (Software Developer)
Devon (DevOps Engineer)
Alex (Security Operations Engineer)

User experience goal

Proposal

Enable a project administrator to grant write_repository scope for pipeline permissions.

Allow `write_repository` scope for pipeline permissions

Problem to solve

Intended users

User experience goal

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references