Add granular pats decorator for lint REST endpoints (!209452) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Make following endpoints granular PATs compliant

GET /projects/:id/ci/lint
POST /projects/:id/ci/lint

References

#575288

Screenshots or screen recordings

How to set up and validate locally

In Rails console, create a granular PAT for a user and copy a URL to create an issue with the token:

# Enable feature flag
Feature.enable(:authorize_granular_pats)

user = User.first

# Create granular token
token = PersonalAccessTokens::CreateService.new(
  current_user: user,
  target_user: user,
  organization_id: user.organization_id,
  params: { expires_at: 1.month.from_now, scopes: ['granular'], granular: true, name: 'gPAT' }
).execute[:personal_access_token]

# Get a project
project = user.projects.first

project_scope = Authz::GranularScope.new(namespace: project.project_namespace, permissions: [:read_ci_config])

Authz::GranularScopeService.new(token).add_granular_scopes(project_scope)

# Copy project avatar URL
IO.popen('pbcopy', 'w') { |f| f.puts "curl http://#{Gitlab.host_with_port}/api/v4/projects/#{project.id}/ci/lint -X GET -H \"PRIVATE-TOKEN: #{token.token}\"" }

Paste the URL in another terminal. It should succeed.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #575287

Edited Oct 20, 2025 by Ayush Billore

Add granular pats decorator for lint REST endpoints

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports