Frontend: migrate to new secrets permissions endpoints
This is blocked by 2 MRs before we can proceed:
- Update/Delete Group Secret Permissions #577341 (closed)
- Delete/List endpoints MR !214500 (merged)
- Merge create and update permission into one in Gitlab Secrets manager #582213
- !214715 now open but blocked by Delete/List endpoints MR.
Problem Statement
The backend has introduced new GraphQL endpoints for secrets permissions under the ProjectSecretsPermissions and GroupSecretsPermissions namespaces. The frontend currently uses the old Permissions namespace endpoints which will be deprecated.
Additionally, the new endpoints introduce several breaking changes: the actions field (replacing permissions), merged create/update into single UPDATE action, group_path for Group principals (instead of numeric id), and renamed response payload keys.
Scope
Migrate the frontend to use the new secrets permissions endpoints for both project and group secrets.
Backend Endpoints Available
Group Secrets Permissions (already available):
-
✅ Mutation:groupSecretsPermissionUpdate -
✅ Mutation:groupSecretsPermissionDelete -
✅ Query:group.secretsPermissions
Project Secrets Permissions (added in !214715):
-
🔄 Mutation:projectSecretsPermissionUpdate(will replacesecretsPermissionUpdate) -
🔄 Mutation:projectSecretsPermissionDelete(will replacesecretsPermissionDelete) -
🔄 Query:project.secretsPermissions(will replacesecretPermissionsquery)
Required Frontend Changes
1. Update GraphQL Queries/Mutations
For Group Secrets Permissions:
- Migrate from: N/A (new feature)
- Migrate to:
groupSecretsPermissionUpdate,groupSecretsPermissionDelete,group.secretsPermissions
For Project Secrets Permissions:
- Migrate from:
secretsPermissionUpdate,secretsPermissionDelete,secretPermissions - Migrate to:
projectSecretsPermissionUpdate,projectSecretsPermissionDelete,project.secretsPermissions
2. Handle Renamed Response Payload Keys
Current behavior (old endpoints):
- Response key:
secretPermission(singular)
New behavior (new endpoints):
- Response key:
secretsPermission(plural - emphasis on "secrets")
Frontend changes needed:
- Update all response handlers to use
secretsPermissioninstead ofsecretPermission - Example:
response.data.groupSecretsPermissionUpdate.secretsPermission
3. Handle actions Field Instead of permissions
Current behavior (old endpoints):
- Mutations accept:
permissions: ["read", "create", "update", "delete"](array of strings) - Query returns:
permissions: "read,create,update,delete"(stringified, needs parsing) - Separate
createandupdatepermissions (both required to create a secret)
New behavior (new endpoints):
- Mutations accept:
actions: [READ, UPDATE, DELETE](enum values) - Query returns:
actions: ["read", "update", "delete"](array, no parsing needed) -
createandupdatemerged into singleUPDATEaction - users withUPDATEcan both create and update secrets
Frontend changes needed:
- Update mutation inputs to use
actionsinstead ofpermissions - Replace
["create", "update"]with singleUPDATEaction - Update query responses to read
actionsinstead ofpermissions - Remove string parsing logic for permissions
- Update UI to show
UPDATEaction instead of separate create/update checkboxes
4. Use group_path for Group Principals
Current behavior (old endpoints):
- Group principals use numeric
id:principal: { id: 123, type: "GROUP" }
New behavior (new endpoints):
- Group principals use
group_path:principal: { groupPath: "my-org/sub-group", type: "GROUP" } - Other principal types (User, Role, MemberRole) continue using
id
Frontend changes needed:
- Replace dropdown for selecting groups with a text input for entering group path
- Validate group path format on the frontend
- Update mutation calls to use
groupPathinstead ofidfor Group principals - Keep using
idfor User, Role, and MemberRole principals
5. Update UI Components
Components to update:
- Secrets permissions management page/modal
- Permission creation form
- Permission listing/table
- Permission deletion confirmation
Specific changes:
- Change "Permissions" label to "Actions" in the UI
- Update action options:
READ,UPDATE(combined create/update),DELETE - Update group principal input from dropdown to text field with placeholder: "Enter group path (e.g., my-org/sub-group)"
- Update action display to show as badges/chips
- Handle both project and group contexts appropriately
GraphQL Examples
Group Secrets Permission - Update
mutation {
groupSecretsPermissionUpdate(input: {
groupPath: "my-group"
principal: {
groupPath: "my-org/sub-group" # For Group principals
type: GROUP
}
actions: [READ, UPDATE, DELETE] # Note: UPDATE replaces create+update
expiredAt: "2025-12-31"
}) {
secretsPermission { # Note: plural "secrets"
group {
fullPath
}
principal {
id
type
}
actions
grantedBy {
username
}
expiredAt
}
errors
}
}Group Secrets Permission - Delete
mutation {
groupSecretsPermissionDelete(input: {
groupPath: "my-group"
principal: {
id: 123 # For User principals
type: USER
}
}) {
secretsPermission { # Note: plural "secrets"
principal {
id
type
}
}
errors
}
}Group Secrets Permission - List
query {
group(fullPath: "my-group") {
secretsPermissions {
nodes {
principal {
id
type
}
actions # Now returns actual array: ["read", "update", "delete"]
grantedBy {
username
}
expiredAt
}
}
}
}Acceptance Criteria
-
Frontend uses new groupSecretsPermissionUpdate,groupSecretsPermissionDelete, andgroup.secretsPermissionsendpoints -
Frontend uses new projectSecretsPermissionUpdate,projectSecretsPermissionDelete, andproject.secretsPermissionsendpoints -
Response handlers use secretsPermission(plural) instead ofsecretPermission -
UI displays "Actions" instead of "Permissions" -
UI shows three action options: READ,UPDATE,DELETE(not four) -
Group principal selection uses text input for group_path -
Old endpoints are no longer referenced in frontend code -
All existing functionality continues to work
Edited by Erick Bajao