[Research]: Discovery and prioritization of new permissions for job tokens
Background
The job token can access limited resources which often forces customers to use long-lived tokens such as PATs or GrPATs. This is not an ideal security practice and GitLab should identify what would attract customers to use ephemeral tokens that are relevant for CI/CD workflows.
Discovery
- Connect with customers to better understand what pushed them to skip out on using job tokens.
- Use data instrumentation and analysis to identify what resources are being called from CI/CD workflows.
- Review bots that run in pipelines and identify common resource usage
Prioritization
- Based on data analysis and interviews, identify critical permissions to implement to increase usage of job tokens
- Understand effort from engineering to add resources to existing fine-grained permissions framework for job tokens
Considerations
- Below are items to consider when starting this effort
- Token consolidation status
- Policy framework status
Edited by Joe Randazzo