Add prefix to trigger tokens (!95968) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-trigger-prefix into master Aug 22, 2022

What does this MR do and why?

This MR adds a prefix to the pipeline trigger tokens to make them easier to detect and prevent incidents. See #371396 (comment 1070889693) if you're thinking "won't that also make the tokens easier to find for attackers?" (which is a reasonable thought to have!)

Screenshots or screen recordings

First token was created before the change, second was created after. Both should work.

(those are tokens for my local instance and already revoked)

How to set up and validate locally

Go to a project's CI/CD settings
Create a trigger under the Pipeline Trigger section
Observe that the trigger has the glptt- prefix

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 22, 2022 by Dominic Couture

Add prefix to trigger tokens

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports