Planning deprecation of non-expiring tokens with opt-out
In #369122 (closed), there is a plan to deprecate the option to have non-expiring tokens. Having no way of adding non-expiring tokens is very upsetting and reading the comments on related issues very unpopular.
I can see Gitlab trying to protect companies, but you also need to understand that this feature won't fit all companies. There are many reasons you might want non-expiring tokens, and it should be up to the company, not Gitlab, to decide how secure their tokens are.
There should, before v16 rolls out a way to opt-out of this functionality, being a configuration in gitlab.rb or via the admin-interface. Put a disclaimer what that means, but don't force it like the plan looks now.