CI_JOB_TOKEN allowlist for protected branches
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
We are using semantic-release within our pipelines.
Sadly CI_JOB_TOKEN is unable to push into protected branches (which is basically the thing when creating a tag) when No one is selected at the field Allowed to push and merge.
The workaround is to create a project access token (with like developer role, allowlist that bot-user in the field mentioned above and add a CI/CD variable called GL_TOKEN.
Why this matters and how we measure
By default PATs are expiring after a year. So the steps need to be re-done periodically From the security perspective the token needs to be rotated whenever a person with access to the value of the variable leaves the company. That person usually does not have access to only one project but more. I know a workaround is to use group access tokens or a (license consuming) system useraccount with a personal access token but still, rotating is needed in both cases.
So a valid metric is the number of manual tasks switching the variables' values.
Proposal
In the section of CI/CD's Job token permissions add another field with "allow git push to protected branches with $dropdownmenu_permission" and show this also on the Protected branches' Allowed to push and merge field. By default guest role is pre-selected
Performance Considerations
Out of Scope
Acceptance Criteria
- CI_JOB_TOKEN can push into protected branches with pre-configured permission
Additional details
Some relevant technical details, if applicable, such as:
- Does this need a feature flag?
- Does there need to be an associated instrumentation issue created related to this work?
- Is there an example response showing the data structure that should be returned (new endpoints only)?
- What permissions should be used?
- Which tier(s) is this for?
- Additional comments:
Implementation Table
| Group | Issue Link |
|---|---|
| backend |
|
| frontend | Issue Title |
| documentation | Issue Title |
| Instrumentation | Issue Title |