Expose ci_job_token_scope_enabled in job API
What does this MR do and why?
GitLab introduced the ability to secure a workflow by limiting the scope of CI_JOB_TOKEN (#328553 (closed)). This MR adds the status of that option to the /job endpoint.
An example of where this would be used is with a custom executor that seeks to enforce specific limitations on the scope of token before a job will be accepted. With this, a CI_JOB_TOKEN can be used to verify the setting has been enabled without the need to establish/share a broadly scoped admin level token.
This modification aims to address #337087 (closed) and only adds the new details to the payload of /jobs when a CI_JOB_TOKEN is being used to retrieve information regarding the job itself. Please note, I'm not completely confident in how I've limited the scope by creating a new JobTokensJob entities. However, it seemed like the best option to limit the scope of modification and avoid causing N+1 issues.
How to set up and validate locally
Note, steps assume that you already have a functional runner registered with your local GDK:
- Via a project's
Settings->CI/CD->Token Accessenable theLimit CI_JOB_TOKEN access - Create a test
.gitlab-ci.ymlfile:
job:
tags: [local]
script:
- |
curl --header "Authorization: Bearer ${CI_JOB_TOKEN}" "${CI_API_V4_URL}/job" | jq- Verify the response:
{
...
"project": {
"ci_job_token_scope_enabled": true
}
}MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #337087 (closed)