Expand CI_JOB_TOKEN Permissions to Include Scopes for Pipeline Metadata

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem

The issue at hand is the CI_JOB_TOKEN has access to different APIs by default assist in pipeline automations. However, the token cannot read metadata from the API about the pipeline it is in. For example, the following API routes are denied for the job token and require a personal access token:

${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/pipelines/${CI_PIPELINE_ID}/bridges
${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/pipelines/${downstream_id}/jobs
${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/jobs/${job}

This information can be scoped to the context of the current pipeline. It would be helpful if there were scope settings on the job token, that allowed metadata about the current pipeline / jobs of current pipeline to be inspected with the CI_JOB_TOKEN.

Proposal

Add the following authentication setting to the API endpoint (in lib/api/*.rb)

route_setting :authentication, job_token_allowed: true, job_token_scope: :project

⚠️ In reviewing these changes we need to ensure that the serializer of the given API endpoint doesn't expose sensitive information. It should not be the case today and we must never authorize endpoints like CI variables or traces.

Edited Feb 18, 2026 by 🤖 GitLab Bot 🤖