<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=488449) </details> <!--IssueSummary end--> ### Summary of issue With the [InactiveTokensDeletionCronWorker incident](https://gitlab.com/gitlab-com/gl-infra/production/-/issues/18548) we had some Group Access Tokens and Projects Access Tokens that were inadvertently removed. In most scenarios, users had to re-create the tokens and replace them to get back up and running. However, one aspect that is a bit more challenging is when a GAT/PAT was used to create a mirror, as this gets set as the **mirror_user_id** for the project. If you create the mirror in the UI, then it uses the username/id of the person who is creating the mirror. If you used a token to create the mirror via the API, then it is tied to the owner of the token which could be a project access token or group access token. If you outright remove the token, and therefore the user, it kills the mirror entirely without warning and the [mirroring will get disabled](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/mailers/ee/emails/projects.rb#L16-27). You'll get a notification like: ``` Repository mirroring on cleveland_ultimate_group/mirror-test-091224 was disabled because the mirror user Mirror API Group ACCESS TOKEN was deleted. To re-enable mirroring, update your repository mirroring settings. ``` However, updating mirroring settings means re-creating the mirror, rather than being able to re-assign a user, for example. This highlights the wide impact of simply removing a GAT/PAT. ### Proposal I propose that we consider providing more warnings when Group Access Tokens or Project Access Tokens are removed: - If possible, check to see if the GAT/PAT is used or has any object associations - Provide a warning when a token is deleted if the token has been used for mirroring - Warn users on _where to check for usage_ before removing it - Provide a way to update the mirror user retroactively, or have a fallback --- Despite this being discovered as part of the `InactiveTokensDeletionCronWorker` incident, this proposal is separate from future considerations on the impact of this worker. <!-- Label reminders Use the following resources to find the appropriate labels: - Use only one tier label choosing the lowest tier this is intended for - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/ -->