Allow JOB-TOKEN to perform all release REST API operations

What does this MR do and why?

According to the documentation (https://docs.gitlab.com/ee/api/releases/#authentication) release API operations are possible using either a private or a job token

This MR adds job token to all API endpoints

Solves #320950 (closed)
Solves #340018 (closed)
Solves #198779 (closed)
Refs #332146 (closed)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

@guillaume.chauvel

Thank you for your contribution to GitLab. We believe that everyone can contribute and contributions like yours are what make GitLab great!

• Our Merge Request Coaches will ensure your contribution is reviewed in a timely manner*.
• If you haven't, please set up a DANGER_GITLAB_API_TOKEN.
• You can comment @gitlab-bot label ~"group::" to add a group label.
• After a few days, feel free to ask @gitlab-bot help or ping a Merge Request Coach.
• Read more on how to get help.

This message was generated automatically. You're welcome to improve it.

added Community contribution label

changed the description

added 1 commit

• 268d99e5 - Allow job token to perform all release REST API operation

Compare with previous version

marked this merge request as ready

marked the checklist item I have evaluated the MR acceptance checklist for this MR. as completed

mentioned in issue gitlab-org/quality/triage-reports#5002 (closed)

mentioned in issue gitlab-org/quality/triage-reports#5014 (closed)

added backend devopsrelease [DEPRECATED] featureaddition grouprelease [DEPRECATED] labels

added typefeature label

Thanks so much for this MR @guillaume.chauvel!

@sean_carroll could you or someone on your team please review this Community contribution? Thanks!

requested review from @sean_carroll

assigned to @guillaume.chauvel

added sectionops label

@nicolewilliams as this is a ~"group::release" community MR, I'll pass it over to you.

requested review from @nicolewilliams and removed review request for @sean_carroll

requested review from @vshushlin and removed review request for @nicolewilliams

Thank you for your contribution, @guillaume.chauvel!

I think we also need to modify tests in https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/spec/requests/api/releases_spec.rb#L5-L5 and https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/ee/spec/requests/api/releases_spec.rb#L5-L5 to validate that job token is actually works.

I found an example in generic package registry, which can be helpful: https://gitlab.com/gitlab-org/gitlab/-/blob/fc2c4e0d7f5fc8a91d77fe03bc6bdacf8d68c3c9/spec/requests/api/generic_packages_spec.rb#L61-L61

Let me know, if you need any help

@dcouture do see any security risk in allowing any CI job to create/modify/delete releases?

added 1 commit

• 348bb1d2 - Allow job token to perform all release REST API operations

Compare with previous version

added 1 commit

• 2c2e70b9 - Allow job token to perform all release REST API operations

Compare with previous version