CI_JOB_TOKEN bot authorization backend

Proposal

Introduce a mechanism (when enabled via project settings) that limits the use of CI_JOB_TOKEN to the project where it originated from. By default, with this setting on, the CI_JOB_TOKEN won't be used outside the project's scope. However, project maintainers can add other projects to the CI_JOB_TOKEN scope. This way the token can be used across a list of selected projects. For example, to trigger multi-project pipelines, etc.

Backend Proposal

Implement the PoC drafted in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1248 to restrict the scope of CI_JOB_TOKEN
GraphQL dependencies for frontend
- Queries: Get the list of projects in the allow list of a given project
- Mutations:
  - Add a project to the allow list
  - Remove a project from the allow list
  - Change the state of the setting

Iteration plan

ship the PoC which represents the skeleton for the entire feature
introduce a new table to track associations between projects (token scope)
introduce CI/CD project setting to enable/disable the feature
ship the GraphQL endpoints in parallel

Edited Jun 10, 2021 by Fabio Pitino