## Summary This issue is to roll out [the feature](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/229560) on production, that is currently behind the `use_prevent_all_for_job_token_scope` feature flag. ## Owners - Most appropriate Slack channel to reach out to: `#g_authorization` - Best individual to reach out to: @imand3r ## Expectations ### What are we expecting to happen? When enabled, public/internal projects with out-of-scope job tokens use `prevent_all` with a curated exception list instead of individually preventing each `*_access` permission. The behavior should be functionally equivalent — the same permissions are allowed and disallowed. ### What can go wrong and how would we detect it? Permission regressions where job tokens gain or lose access they shouldn't. Monitor for 403/404 errors on CI job token authenticated requests to public/internal projects. Relevant dashboards: API error rates, CI pipeline creation failures. ## Rollout Steps Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command. ### Rollout on non-production environments - Verify the MR with the feature flag is merged to `master` and has been deployed to non-production environments with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [x] Deploy the feature flag at a percentage (recommended percentage: 50%) with `/chatops gitlab run feature set use_prevent_all_for_job_token_scope 50 --actors --dev --pre --staging --staging-ref` - [x] Monitor that the error rates did not increase (repeat with a different percentage as necessary). - [x] Enable the feature globally on non-production environments with `/chatops gitlab run feature set use_prevent_all_for_job_token_scope true --dev --pre --staging --staging-ref` - [x] Verify that the feature works as expected. The best environment to validate the feature in is [`staging-canary`](https://about.gitlab.com/handbook/engineering/infrastructure/environments/#staging-canary) as this is the first environment deployed to. Make sure you are [configured to use canary](https://next.gitlab.com/). - [ ] If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking [deployments](https://about.gitlab.com/handbook/engineering/deployments-and-releases/deployments/). ### Before production rollout - [ ] If the change is significant and you wanted to announce in [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C), it best to do it before rollout to `gitlab-org/gitlab-com`. ### Specific rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - [ ] Depending on the type of actor, pick one of these options: - For **project-actor**: `/chatops gitlab run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com use_prevent_all_for_job_token_scope true` - [ ] Verify that the feature works for the specific actors. ### Preparation before global rollout - [ ] Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. - [ ] Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. - [ ] Notify the [`#support_gitlab-com` Slack channel](https://gitlab.slack.com/archives/C4XFU81LG) and your team channel. ### Global rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - [ ] [Incrementally roll out](https://docs.gitlab.com/development/feature_flags/controls/#process) the feature on production. - Example: `/chatops gitlab run feature set use_prevent_all_for_job_token_scope <rollout-percentage> --actors`. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net. - [ ] After the feature has been 100% enabled, wait for at least one day before releasing the feature. ### Release the feature After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase. - [ ] Create a merge request to remove the `use_prevent_all_for_job_token_scope` feature flag. The MR should include the following changes: - Remove all references to the feature flag from the codebase. - Remove the YAML definitions for the feature from the repository. - [ ] Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running: `/chatops gitlab run feature delete use_prevent_all_for_job_token_scope --dev --pre --staging --staging-ref --production` - [ ] Close this rollout issue. ## Rollback Steps - [ ] This feature can be disabled on production by running the following Chatops command: ``` /chatops gitlab run feature set use_prevent_all_for_job_token_scope false ``` - [ ] Disable the feature flag on non-production environments: ``` /chatops gitlab run feature set use_prevent_all_for_job_token_scope false --dev --pre --staging --staging-ref ```