CI_JOB_TOKEN bot authorization backend
Proposal
Introduce a mechanism (when enabled via project settings) that limits the use of CI_JOB_TOKEN to the project where it originated from. By default, with this setting on, the CI_JOB_TOKEN won't be used outside the project's scope. However, project maintainers can add other projects to the CI_JOB_TOKEN scope. This way the token can be used across a list of selected projects. For example, to trigger multi-project pipelines, etc.
Backend Proposal
- Implement the PoC drafted in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1248 to restrict the scope of CI_JOB_TOKEN
- GraphQL dependencies for frontend
- Queries: Get the list of projects in the allow list of a given project
- Mutations:
- Add a project to the allow list
- Remove a project from the allow list
- Change the state of the setting
Iteration plan
- ship the PoC which represents the skeleton for the entire feature
- introduce a new table to track associations between projects (token scope)
- introduce CI/CD project setting to enable/disable the feature
- ship the GraphQL endpoints in parallel
Edited by Fabio Pitino