Skip to content

Group access token as codeowners after expiration

We are trying to rollout codeowners in our codebase (approximately 2500 projects), and are running into some issues when it comes to a bot. We'd like to have a webhook running that auto-approves merge requests matching certain criteria (e.g. PRs created by a dependency bot). This webhook uses a group access token for authentication.

The problem we foresee is that the bot username needs to be added manually to each projects codeowners file. This username changes every time the group access token is regenerated (so at least every year). At that point we would need to go over every single codeowners file in our codebase and update it with the new username of this bot, which given the number of repositories would be a lot of work.

We have considered several possible alternatives:

  • create a separate top-level group in gitlab that only contains a few group access tokens and no normal users. Then we can set this group as codeowners instead of the bot username. This group would then need to be invited to every single project (as it's not possible to invite the group to a single parent group of all these projects), this would require more automation. Additionally, we would get no notifications about expiring tokens as there are no owners of the separate group (as they would then also be considered codeowners).
  • create a normal user that is a bot: we would really prefer not paying license costs for a bot
  • manually updating the expires_at column of the personal_access_tokens table in the gitlab database (yay for selfhosted): this might work but is obviously completely unsupported by gitlab as we're manually editing the database.

We cannot simply use the parent group as codeowners as that means we will end up with far too many codeowners per project for it be a useful feature. Codeowners should be the actual people capable of reviewing changes to a project.

One currently impossible method is being able to rotate a group access token. This would keep the same username/user id but create a new token that is again valid for the next period.

I wonder how gitlab itself manages such workflows? Do you just create a normal user as gitlab (probably) does not need to pay license costs to itself? Right now having a bot as codeowner seems very hard to do at scale.

Edited by Bert Helderman