Explore replacing project access tokens with CI/CD job tokens for Git push operations (GitLab 18.4 feature)

Summary

GitLab 18.4 introduced the ability for CI/CD job tokens to authenticate Git push requests. This presents an opportunity to replace existing project access tokens used for Git push operations in our pipelines with the more secure CI/CD job token approach.

Background

• GitLab 18.4 feature: https://about.gitlab.com/releases/2025/09/18/gitlab-18-4-released/#cicd-job-tokens-can-authenticate-git-push-requests
• Current usage documented at: https://docs.gitlab.com/development/pipelines/#tokens-set-in-the-project-variables-1

Current Project Access Tokens for Git Push

Based on our pipeline documentation, we currently use:

• AS_IF_FOSS_TOKEN - for pushing as-if-foss/* branches
• AS_IF_JH_TOKEN - for pushing as-if-jh/* branches
• (Potentially others - needs investigation)

Benefits of Migration

• Enhanced security: Job tokens have limited scope and lifetime
• Reduced token management overhead
• Better alignment with GitLab's security best practices
• Elimination of long-lived tokens where possible

Tasks

• Audit all current project access tokens used for Git push operations in gitlab-org/gitlab
• Identify which tokens can be replaced with CI/CD job tokens
• Test the new job token authentication for Git push in a safe environment
• Create migration plan for each identified token
• Update pipeline configurations
• Update documentation

Additional Context

This issue was created as part of dogfooding the new GitLab 18.4 feature to improve our own security posture and serve as an example for our users.