Set `job_token_scope_enabled` to false by default
What does this MR do?
This MR changes the default value of the job_token_scope_enabled
field in the project_ci_cd_settings
table to false
. It also resets the value for all existing rows to false
EXCEPT when the project has existing job token scope links.
Context
Initially we wanted the default value of the job_token_scope_enabled
field in the project_ci_cd_settings
table to be true
so that new projects would benefit from the enhanced security offered by the job token scope.
However, users have complained that existing workflows that automatically include new projects broke because they were not aware of the job token scope change. Therefore, we are disabling the scope by default until %15.0 and disabling it for all projects that have it enabled but have not created any scope links. The migration preserves the job_token_scope_enabled
= true
state for projects that have scope links because the links must be manually created by users, so their existence demonstrates that those users understand how the job token scope works and they may not want to lose its benefits.
Migrations
rails db:migrate:redo RAILS_ENV=test VERSION=20210902171808
== 20210902171808 SetDefaultJobTokenScopeFalse: reverting =====================
-- change_column_default(:project_ci_cd_settings, :job_token_scope_enabled, {:from=>false, :to=>true})
-> 0.0034s
== 20210902171808 SetDefaultJobTokenScopeFalse: reverted (0.0239s) ============
== 20210902171808 SetDefaultJobTokenScopeFalse: migrating =====================
-- change_column_default(:project_ci_cd_settings, :job_token_scope_enabled, {:from=>true, :to=>false})
-> 0.0064s
== 20210902171808 SetDefaultJobTokenScopeFalse: migrated (0.0100s) ============
rails db:migrate:redo RAILS_ENV=test
== 20210908132335 DisableJobTokenScopeWhenUnused: reverting ===================
== 20210908132335 DisableJobTokenScopeWhenUnused: reverted (0.0000s) ==========
== 20210908132335 DisableJobTokenScopeWhenUnused: migrating ===================
== 20210908132335 DisableJobTokenScopeWhenUnused: migrated (0.0141s) ==========
Feature flag
The feature affected by this work is under the ci_scoped_job_token
feature flag, which is disabled on production.