Rotation nudges for users that have long-lived tokens
Proposal
Personal Access Tokens are very sensitive secrets that can hold a lot of permissions (and bypass MFA). While we always recommend our team members to set an expiration date on these tokens, it's not something that is enforced, and some token can have very long expiration dates (if any).
GitLab should encourage good practices, and send regular reminders to users to rotate long-lived tokens. One thing we have to figure out is the definition of "users" in the previous sentence. The user holding the token can be a human or a system ("bot") account.
- In the case of a human, it makes sense to send notifications to this person.
- In the case of a system ("bot") account, it's better to notify the users of the project using this token. Just because these projects maintainers generally don't have direct access to the system account notifications.
We might have to split this feature into:
- Notifications for token holders
- Notifications for project Maintainers
The other thing to decide here is the definition of "long-lived" tokens. Sending these notifications every quarter sounds like a good cadence. This can be discussed as part of this issue.
Proposal
-
Align notifications to what was implemented for Project and Group access tokens <-- this is already complete
✅ -
For any secrets that have an expiry interval longer than 90 days, send an e-mail notification to group owners, maintainers, and administrators (depending if self-managed or SaaS) reminding them that due to the length of their expiry interval, it is recommended to rotate the token.