Feature Request: allow using project exports API with read-only permissions
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
The Gitlab project export API allows exporting project information for migration. Another possible application is to use it as a backup feature, to save a static version of projects on a remote location.
However, currently the project can only be exported by a maintainer with a token having full API scope permissions. For backup purposes, this is an obvious risk, since this means a malicious actor gaining access to the backup token will not only be able to access any backed up data, but also remove any live data through this token.
It thus would be more safe to allow a project export with a set of read-only permissions, so that in case of a security breach on the backup machine, the attacker can at most destroy any backuped data, but not alter the existing live data.
This has been requested before, e.g. here, so there is at least some interest for this feature. Moreover, the current documentation does not seem to mention anything about required API token permissions/scope, apart from noting "You must have at least the Maintainer role for the project." (which is possibly the cause of questions like this one).
Note: a similar thing might be relevant for group exports.