Provide a CI/CD Token with Admin capabilities

Problem to solve

Certain operations on GitLab require access to different API endpoints, which different access levels. Currently, automations that may use these endpoints need a combination of Project/Group Access Tokens and Administrator Personal Access Tokens.

Such an example is automating GitLab Runners management (querying their status, starting, stoping, removing).

Proposal

Provide a pre-defined CI/CD variable containing a token that has Administrator privileges to the GitLab API, some considerations:

Configurable (enable/disable) at the group or project level by administrators only, to provide granularity and security.
Configurable (enable/disable) at the instance level via gitlab.rb or via the Admin panel of the GUI.
Above actions should be logged to audit logs.
Prevent usage in pipelines triggered by non-admin users and log these attempts to audit logs.
Feature only available on private groups/projects.

Alternative

On project settings, provide a button that enables CI_JOB_TOKEN to run also in sudo scope, considerations:

Button is only available to administrators.
Interaction with the button is logged to audit logs.

Provide a CI/CD Token with Admin capabilities

Problem to solve

Proposal

Alternative

Intended users

Feature Usage Metrics