GraphQL: Add token expiry params to runnerCreate mutation (EE)
What does this MR do and why?
Adds tokenExpiresAt and tokenRotationDeadline arguments to the runnerCreate GraphQL mutation and exposes tokenRotationDeadline on the CiRunner type. This is an EE-only feature.
The existing tokenExpiresAt field is already exposed on the CiRunner type (CE), so the mutation argument is added as a stable field. tokenRotationDeadline is new and marked as experimental.
The arguments pass through to CreateRunnerService which handles validation and assignment via the EE service prepend.
New mutation arguments
| Argument | Type | Required | Experimental | Description |
|---|---|---|---|---|
tokenExpiresAt |
Time |
No | No | Token expiration time (ISO 8601). Must be between 5 minutes and 15 days in the future, and cannot exceed instance/group/project limits. |
tokenRotationDeadline |
Time |
No | Yes | Deadline for token rotation (ISO 8601). Requires tokenExpiresAt. Must be <= tokenExpiresAt. Setting both to the same value disables rotation. |
New CiRunner type field
| Field | Type | Experimental | Description |
|---|---|---|---|
tokenRotationDeadline |
Time |
Yes | Deadline after which token rotation is rejected. Guarded by read_runner_sensitive_data. |
Key changes
-
ee/app/graphql/ee/mutations/ci/runner/create.rb-- addstokenExpiresAt(stable) andtokenRotationDeadline(experimental) arguments to therunnerCreatemutation -
ee/app/graphql/ee/types/ci/runner_type.rb-- exposestokenRotationDeadlineon theCiRunnertype withauthorize: :read_runner_sensitive_data -
ee/spec/requests/api/graphql/mutations/ci/runner/create_spec.rb-- tests for valid expiration, validation errors (too soon, too far, deadline > expiry, deadline in past, deadline without expiry), response field assertions, and rotation-disabled case
References
- Part of #573604 (closed)
Screenshots or screen recordings
Not applicable -- backend API change only.
How to set up and validate locally
-
Create a runner with token expiration via GraphQL:
mutation { runnerCreate(input: { runnerType: INSTANCE_TYPE, tokenExpiresAt: "2026-03-15T00:00:00Z" }) { runner { id tokenExpiresAt tokenRotationDeadline } errors } }
-
Create a runner with rotation deadline:
mutation { runnerCreate(input: { runnerType: INSTANCE_TYPE, tokenExpiresAt: "2026-03-15T00:00:00Z", tokenRotationDeadline: "2026-03-12T00:00:00Z" }) { runner { id tokenExpiresAt tokenRotationDeadline } errors } } -
Verify validation -- deadline without expiry returns an error:
mutation { runnerCreate(input: { runnerType: INSTANCE_TYPE, tokenRotationDeadline: "2026-03-12T00:00:00Z" }) { runner { id } errors } } -
Run specs:
bundle exec rspec ee/spec/requests/api/graphql/mutations/ci/runner/create_spec.rb
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.