Enable inbound job token scope by default for new projects
Release Notes
The ability to limit projects that can use a CI_JOB_TOKEN to authenticate within your project is a big improvement to securing a project's CI/CD Pipelines but this feature has to be enabled leaving new projects at risk.
Starting with GitLab 15.9 the inbound scope limit for the CI_JOB_TOKEN will be enabled by default for new projects.
Problem
Before we make job token scope always enabled in the next major release we need to start transitioning into this default behavior.
Plan
To rollout the Job Token Scope feature we decided to follow this plan:
Under a single feature flag:
- deploy the setting for inbound
- set default to true - allow people to turn the group level setting off - this issue
Click to expand
This work will be carried out in two steps-
Set default to true on application level for new projects. This will be under a feature flag. !109689 (merged)
-
Set default to true on database level. !110196 (merged)
Not under the same flag (no this issue):
Solution
- Enable the inbound job token scope (in project's settings) by default for new projects prior to the major release.
- Enabling this setting by default would mean that QA tests on staging environment will have the setting enabled too. We need to change those E2E tests to ensure that the inbound job token scope is configured (target projects added to the scope) and not disabled.
Pre-requisites:
- documentation must be clear on why a CI_JOB_TOKEN can't access a repository and how to troubleshoot
- customer need to know in advance that we are planning to enable it by default for new projects
- customer should be able to opt-out
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.