Skip to content

Exclude deleted projects from job token authorization logs graphql and csv export service

Dmytro Biryukovrequested to merge
dbiryukov-fix-ci-job-token-auth-logs-mr-560082 into master

Related: https://gitlab.com/gitlab-org/gitlab/-/issues/560082

What does this MR do and why?

Since the background job responsible for handling the foreign key on ci_job_token_authorizations runs asynchronously and with some delay, the UI for CiJobTokenAuthLog can appear broken in the meantime.

As a result, the GraphQL query for auth logs fails with the error: "Cannot return null for non-nullable field CiJobTokenAuthLog.originProject"

This MR does the following:

  • Excludes deleted or non-existent projects from JobTokenAuthLogsResolver.
  • Excludes deleted or non-existent projects from Ci::JobToken::ExportAuthorizationsService used for the CSV download link.

References

Screenshots or screen recordings

Before After
image Screenshot_2025-06-26_at_12.04.18

How to set up and validate locally

  • Create 2 projects, project_a and project_b
  • In project_a, add project_b to the allowlist
  • Use project_b's CI_JOB_TOKEN to fetch anything from project_a
  • Make sure that project_b shows up in the CI_JOB_TOKEN auth logs for project_a
  • Delete project_b from the instance
  • Now try to see the CI_JOB_TOKEN auth logs for project_a again

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dmytro Biryukov

Merge request reports