Skip to content

Disable Limit CI_JOB_TOKEN access scope feature based on a feature flag

Jayakrishnan Mallisseryrequested to merge
jay-remove-limit-ci-job-token-access-scope into master

Needs to be merged before May 1st because of breaking changes window dependency

Why this MR ?

  • To tackle this issue - #383084 (closed)
  • We have previously deprecated the Limit Project job token access scope feature. Now we need to completely disable and remove it.
  • The goal of this MR is to just safely disable the Limit CI_JOB_TOKEN access scope feature controlled by a feature flag. When we enable the feature flag introduced in this MR, the feature will be disabled.
  • We DO NOT tackle the removal of code related to the feature in this MR. It will be tackled later in a cleanup issue

What does this MR do ?

  • Created a new feature flag remove_limit_ci_job_token_scope

  • Deprecated two GQL fields related to this feature. Not sure why these 2 fields were NOT deprecated while we deprecated other GQL fields related to this feature a while back.

  • If the feature flag is enabled, the Limit CI_JOB_TOKEN access scope feature will be disabled. i.e.

    • In the backend, we always return true while checking outbound accessibility of CI_JOB_TOKEN
    • In the frontend, we hide the section in the UI that displays the outbound allowlist

  • Update documentation section of the Limit CI_JOB_TOKEN access scope feature to add information about feature flag that will disable it

  • Feature Flag rollout issue

References

Screenshots

Before After
Screenshot_2025-04-24_at_18.33.18 Screenshot_2025-04-24_at_18.36.25
CI_JOB_TOKEN access LIMITED when Feature flag is enabled CI_JOB_TOKEN access NOT LIMITED when Feature flag is enabled
When_Feature_flag_is_disabled When_feature_flag_is_enabled

How to set up and validate locally

  1. Pull this branch to your local machine
  2. Create 2 projects - source_project and target_project within the same user/group namespace
  3. Add source_project to the inbound allowlist of the target_project
  4. For source_project create a pipeline with the following content 
     stages:
   - clone
 build-job:
   stage: clone
   script:
     - echo "Cloning startedd"
     - git clone http://gitlab-ci-token:${CI_JOB_TOKEN}@gdk.test:3000/path-of-target-project
     - echo "Cloning complete"
  5. This pipeline will succeed
  6. Now for source project enable outbound JOB Token scope ci_cd_settings by running source_project.ci_cd_settings.update(job_token_scope_enabled: true)
  7. Now run the pipeline again and it will fail because of the limiting of outbound scope of job token
  8. In rails console enable the feature flag 
    Feature.enable(:remove_limit_ci_job_token_scope)
  9. Wait for few seconds to clear cache and run the pipeline again and now it will succeed because the limiting feature is disabled

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jayakrishnan Mallissery

Merge request reports