API: Personal Access Token granularity for project scope
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
I would like to restrict personal access tokens to project scopes (in addition to the current api permission level), so i can use my personal access token for api access, but not for every project i have access to.
There is a lot of 3rd-party integrations that use a Gitlab-user's personal access token for their service. If i need to use some kind of integration that uses this token for a single project, i implicitly allow access to all my repos (including private ones) to said service.
Example: tools like sonarqube use the personal access token to add merge request comments, but there is also services that allow for automatic merge-requests for updates.
The only workaround to restrict these kind of services to a single repository, is by having a separate Gitlab User for this repository/project. As an Enterprise User, this looks like a massive boost in Gitlab License usage.