Add "Manage Runners" as a customizable permission

Release notes

Group owners and project maintainers have the ability to manage runners. This often leads to a user who is overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role and set the permission to enable least privileged access.

Background

Group owners and project maintainers have the ability to manage runners. This leads organizations elevating a subset of users who need to manage runners that as a consequence can edit other Group/Project settings.. This permission will allow a custom role such as Developer + this permission offering organizations to reduce Owners and Maintainers in their environment

Proposal and User Experience

When creating a role, any base can be selected. A new permission is available and labeled "Manage Runners" that can be selected.
If the user role is targeted at the group level, they will be able to perform Group Actions indicated below to the group and sub groups. This continues to follow the waterfall permission model.
If the user role is targeted at the project level, they can only perform Project Actions indicated below for the project.
The permission actions for admin_runners allows create / write (create/update) / delete on Runners and settings including:

Group Actions	Project Actions
Runner Object Create a group runner Edit a runner Delete a runner View details Continue to only show objects that the user has access to (jobs/projects) Runner List View list of runners (all, group or project) and status including filtering Edit, Resume, Delete Runner on List item Registration Token Dropdown Option (Deprecated) Runner Settings Enable runner instances Enable stale cleanup	Runner Settings View Project Runners View Instance Runners Project Runner Create runner Remove runner Pause runner Configuration Enable instance runners Disable group runners Pipelines View Clear Cache

Group Actions

Project Actions

Runner Object

Create a group runner
Edit a runner
Delete a runner
View details
- Continue to only show objects that the user has access to (jobs/projects)

Runner List

View list of runners (all, group or project) and status including filtering
Edit, Resume, Delete Runner on List item
Registration Token Dropdown Option (Deprecated)

Runner Settings

Enable runner instances
Enable stale cleanup

Runner Settings

Pipelines View

Clear Cache

API for reference
1. https://docs.gitlab.com/ee/api/runners.html
2. https://docs.gitlab.com/ee/api/graphql/reference/#queryrunner and more

Views+Workflows include:

Base + permission: Can see Group-> Build -> Runners
Base + permission: Can see Group -> Build -> Create Runner
Base + permission: Can see Group -> Build -> View Runner Details
Base + permission: Can see Group-> Settings > CI/CD > Runners
Base + permission: Can see Projects -> Settings > CI/CD > Runners
Base + permission: Can see Projects -> Pipelines > Clear Runner Cache

Documentation

Permission Title: Manage Runners
Permission Description: Create, view, edit, and delete group or project Runners. Includes configuring Runner settings.
Update prerequisites for Manage Runner Documentation, Configure Runners, Tutorials with:
- Update group prerequisites: You must have the Owner role for the group or custom role with the permission "admin_runners"
- Update project prerequisites: You must have the Maintainer role for the project or custom role with the permission "admin_runners"

Evidence

Edited Aug 16, 2024 by mo khan