Skip to content

allow JOB-TOKEN access to ci/lint endpoint

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Proposal

We have a project where we have multiple gitlab-ci.yml file that are used as include files for other projects. It's quite useful!

But we'd like to lint those files, through CI, of course. This is typically done through the CI lint API endpoint. That, unfortunately, seems to require an access token with Maintainer access and api scope. That's a broad access!

Furthermore, access tokens seem to expire after a year maximum, which means this pipeline breaks every year now.

Could we not use CI_JOB_TOKEN for this? The allowed endpoints explicitly include pipeline triggers, so I'm not sure why linting isn't allowed...

Required approvals

  • Any changes to the list of CI_JOB_TOKEN authentication scope should require AppSec approval/review.
Edited by 🤖 GitLab Bot 🤖