[GTM Team Updates for Customers] Job Token Allowlist Migration
Description
In GitLab 18.0, all projects must be on the CI job token allowlist for cross-project authorization. This setting will be enabled by default on GitLab.com, Self-Managed, and Dedicated. To prepare for this change, the GitLab team encourages you to use available migration tools to populate and enable enforcement in advance (available in 17.10).
In 18.0 GitLab will use the data from authentication logs to automate population of project allowlists along with general enforcement. The allowlist is limited to 200 items (projects and groups) for each project. To ensure our automation stays within the 200 item limit, we will consolidate multiple projects under a single group to a group entry.
We have noticed you have at least one customer who has at least one project with over 200 CI job token authentications. To stay within this limit, we recommend adding the applicable group(s) to the project allowlists to reduce the amount of operational maintenance, or the need to reduce cross-project authentications to 200 projects only.
When you have completed your allowlist, we recommend turning on enforcement of the allowlist. This will ensure additional GitLab automation is bypassed in 18.0.
You can do this by going to: Settings -> Ci/CD -> Job token permissions and selecting the below
Why am I tagged in this issue and why did I receive a slack in #cab-offboarding-FY25?
Your customer has been highlighted with over 200+ job token authentications. Customer list noted here Search your name in column B or C.
ASK: Please utilize the template below to reach out to your customer on next steps to prep for this migration.
Why isn't another team sending this email?
Currently, we have engaged with the CS Comms team to also have these details sent in our customer facing newsletter at the end of February as well as through our standard mechanisms of communication. We are asking for the help of AEs/CSMs to call attention to this change, especially since in these customer facing roles you have a relationship with your customers, minimizing the chance of this announcement not being recognized by customers who it impacts.
Next Steps
1. Review affected customer account here (search your name in column B or C, your customer name can be found in column A) 2. Connect with your customer giving them a visibility into this upcoming change by March 7th, 2025 3. Use this body text as a guide for content and personalize for your customer + voice:
Subject: Migration tools are now available for your team!
In GitLab 18.0, all projects must be on the CI job token allowlist for cross-project authorization. This setting will be enabled by default on GitLab.com, Self-Managed, and Dedicated. To prepare for this change, the GitLab team encourages you to use available migration tools to populate and enable enforcement in advance (available in 17.10).
In 18.0 GitLab will use the data from authentication logs to automate population of project allowlists along with general enforcement. The allowlist is limited to 200 items (projects and groups) for each project. To ensure our automation stays within the 200 item limit, we will consolidate multiple projects under a single group to a group entry.
We have noticed you have at least one project with over 200 CI job token authentications. To stay within this limit, we recommend adding the applicable group(s) to the project allowlists to reduce the amount of operational maintenance, or the need to reduce cross-project authentications to 200 projects only.
When you have completed your allowlist, we recommend turning on enforcement of the allowlist. This will ensure additional GitLab automation is bypassed in 18.0.
You can do this by going to: Settings -> Ci/CD -> Job token permissions and selecting the below
- Send them to this Depreciation and Migration page for more details
If you have any additional questions, please add them in the comments below!