[Feature Flag] Clean up a `restrict_ci_job_token_for_public_and_internal_projects`
Summary
This issue is to cleanup [Restricting job token for public and internal projects][#405369 (closed)] on the production feature toggle, which already switched ON by default
Owners
- Team: grouppipeline security
- Most appropriate slack channel to reach out to:
#g_pipeline_security
- Best individual to reach out to: @dbiryukov
- PM: @shampton
Stakeholders
Expectations
What are we expecting to happen?
We are restricting job tokens for public and internal projects.
- For public/internal projects that have ci_job_token_inbound_scope enabled. Access to their container/packages/releases/artifacts will determine on the project's settings
- If the calling project is not in the allowlist of the target project
- If it's "Everyone with Access"
- Then there are no checks required
- If it's "Only for project members"
- Then the calling project needs to be on the target project's ci_job_inbound_scope allowlist
- If it's "Disabled"
- No access is given
- If it's "Everyone with Access"
- If the calling project is in the allowlist
- There are no checks required
- This change only affects inbound, as outbound is deprecated and scoped out
Summary of changes on restrictions: https://gitlab.com/gitlab-org/gitlab/-/issues/425322
When is the feature viable?
%16.7 release
Clean up the feature toggle, as it is already switched by default ON.