Consolidate secure tokens feature flags

Hinam Mehrarequested to merge
hmehra-ci-feature-flag-consolidation into master

What does this MR do and why?

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Pick any project that you are an owner of. In the rails console, turn on the feature-flags:
Feature.enable(:ci_job_token_jwt)
Feature.enable(:add_policies_to_ci_job_token, project)
  1. Then, navigate to the project's Settings > CI/CD and expand on Job token permissions. Click on Add group or project and add another project with the following configuration:

configuration

  1. In the allowlisted project, navigate to Build > Pipeline editor and update the .gitlab-ci.yml as follows. If you are unable to see the Pipeline editor, apply the following diff:
diff --git a/ee/app/models/license.rb b/ee/app/models/license.rb
index faf94da7b2f2..60e54f0b5057 100644
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -73,7 +73,8 @@ def all_plans
     end
 
     def block_changes?
-      !!current&.block_changes?
+      false
     end
stages:
- build
build-job:
  stage: build
  script:
  - curl --verbose --request GET --form "token=$CI_JOB_TOKEN" "http://127.0.0.1:3000/api/v4/projects/<PROJECT_ID_FROM_STEP_1>/environments"
  - curl --verbose --request GET --form "token=$CI_JOB_TOKEN" "http://127.0.0.1:3000/api/v4/projects/<PROJECT_ID_FROM_STEP_1>/secure_files"

  1. Then, create a runner in the project to be able to run pipelines.

  2. Then, go to Build > Pipelines and click on New pipeline. Open the jobs in the pipeline and you should see the data for environments since we gave the job token read access, but you should see a 403 for secure files:

Screenshot_2025-01-20_at_6.14.31_pm

  1. Lastly, disable the feature flag:
Feature.disable(:add_policies_to_ci_job_token, project)
  1. Re-run the job and you should get data for secure files.
Edited by Hinam Mehra

Merge request reports