Skip to content

Remove limit CI_JOB_TOKEN access scope

Release notes

Problem to solve

Managing access for both inbound and outbound permissions together for limited CI_JOB_TOKEN requires coordination across projects and project owners may not know of each other at all so revert to creating an email or opening an issue, if they can, in the project they need to access.

Proposal

Remove capability for users to Limit CI_JOB_TOKEN access scope

Intended users

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Implementation tasks

Backend

  • We can remove all references to direction from the Scope and Allowlist classes
  • We can create a data migration to remove all outbound Ci::JobToken::ProjectScopeLink's from the table.
  • We can remove the direction column on Ci::JobToken::ProjectScopeLink related table and adjust the unique index on that table
  • In 16.0, we can, deprecate but not remove certain arguments and fields from the graphql api, that's because we need a deprecation notice a few milestones before removal. https://docs.gitlab.com/ee/development/deprecation_guidelines/
    1. Mutations::Ci::JobTokenScope::RemoveProject direction
    2. Mutations::Ci::JobTokenScope::RemoveProject direction
    3. Types::Ci::JobTokenScopeType outbound_allowlist
  • We will need to ensure all graphql documentation no longer references outbound as much as possible without fully removing the direction argument and outbound enum.

Frontend

  • Remove outbound from token_access_app.vue
  • Delete outbound_token_access.vue
  • Delete outbound mutations
  • Delete outbound queries
  • Delete outbound spec
  • Update token access app spec
  • Once inbound is default direction update related mutations
  • Remove inbound naming prefix on mutations/queries (optional)
Edited by Jackie Porter