Add instance setting to enforce CI job token scope

Mireya Andresrequested to merge
job-token-scope-instance-setting into master

What does this MR do and why?

Implements #496647 (closed)

This adds the UI for the instance-level admin setting that allows users to enforce the allowlist for CI job tokens. When this is enforced, users cannot change the project's allowlist settings from the project settings.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Admin > Settings > CI/CD

Screenshot_2024-10-22_at_16.44.50

Project > Settings > CI/CD

Allowlist enforced Not enforced
Screenshot_2024-10-24_at_12.37.07 Screenshot_2024-10-24_at_12.37.42

How to set up and validate locally

Enabling the admin setting

  1. Go to Admin > Settings > CI/CD > Job token permissions
  2. Enable the Only this project and any groups and projects in the allowlist setting checkbox

View the allowlist

  1. Go to your project's CI/CD settings
  2. Under Job token permissions, the options for Authorized groups and projects will be hidden if the allowlist is enforced from admin. Otherwise, the user is able to update the settings from here.
Edited by Mireya Andres

Merge request reports