Much like Personal Access Tokens with the `glpat-` prefix, adding a prefix to deploy tokens would make it easier for secret detection and incident response to be effective. ## Proposal Use the `gldeploy-` prefix for new deploy tokens. This requires a prefix in the `DeployToken` model, then including that prefix when setting up the authenticated token through `add_authentication_token_field`. [Current `add_authentication_token_field` in `DeployToken`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/deploy_token.rb#L9): ```ruby add_authentication_token_field :token, encrypted: :required } ``` Proposed change (notice the new `format_with_prefix` argument): ```ruby TOKEN_PREFIX = "gldeploy-" add_authentication_token_field :token, encrypted: :required }, format_with_prefix: :gldeploy_token_prefix # the prefix has to be wrapped in an instance method because the token formatter expects a method def gldeploy_token_prefix TOKEN_PREFIX end ``` ### A note on the `DeployToken` spec (spec/models/deploy_token.rb) There is a problem with the factory used to create the Deploy Token in that, if you simply call `create(:deploy_token)`, it will not use the `TokenAuthenticatable` concern to generate the token. The best way to test the DeployToken's token will be to build a DeployToken instance then save it, as that will generate a token through the `TokenAuthenticatable` concern, ie: ```ruby describe '#token' it 'has a prefix' do deploy_token = build(:deploy_token, token_encrypted: nil) deploy_token.save! expect(deploy_token.token).to include "gldeploy-" end end ```