## Summary This issue is to roll out [Allow CI_JOB_TOKEN to push to allowlisted repositories](https://gitlab.com/gitlab-org/gitlab/-/issues/479907) on production, that is currently behind the `allow_push_to_allowlisted_projects` feature flag. This feature adds the ability for CI/CD job tokens to push to repositories in other projects, when the source project is on the target project's inbound job token allowlist with the `admin_repositories` policy. It is gated behind four independent security checks: 1. Feature flag `allow_push_to_allowlisted_projects` (gitlab_com_derisk, default off) 2. Target project setting `cross_project_push_for_job_token_allowed` (new boolean, default false) 3. Target project inbound scope must be enabled 4. Allowlist entry from target → source with the `admin_repositories` fine-grained policy ## Owners - Most appropriate Slack channel to reach out to: `#g_authentication, #g_pipeline_security` - Best individual to reach out to: @dbiryukov @mmishaev ## References - Feature issue: https://gitlab.com/gitlab-org/gitlab/-/issues/479907 - Implementation MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/229671 ## Expectations ### What are we expecting to happen? CI/CD job tokens will be able to push to repositories in other projects when: - The source project is on the target project's inbound job token allowlist with the `admin_repositories` policy - The target project has `cross_project_push_for_job_token_allowed` enabled - The target project has inbound scope enabled - The top-level `push_repository_for_job_token_allowed` setting is enabled on the target project ### What can go wrong and how would we detect it? - Unauthorized cross-project pushes if any of the four security gates has a bug — monitor for unexpected 2xx responses on git push endpoints from job tokens - Performance degradation due to additional allowlist lookups on every push — monitor error rates and latency on git push operations - Regression in existing same-project job token pushes — monitor for increased 403 errors on existing pipelines ## Rollout Steps Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command. ### Rollout on non-production environments - Verify the MR with the feature flag is merged to `master` and has been deployed to non-production environments with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Deploy the feature flag at a percentage (recommended percentage: 50%) with `/chatops gitlab run feature set allow_push_to_allowlisted_projects 50 --actors --dev --pre --staging --staging-ref` - [ ] Monitor that the error rates did not increase (repeat with a different percentage as necessary). - [ ] Enable the feature globally on non-production environments with `/chatops gitlab run feature set allow_push_to_allowlisted_projects true --dev --pre --staging --staging-ref` - [ ] Verify that the feature works as expected. The best environment to validate the feature in is [`staging-canary`](https://about.gitlab.com/handbook/engineering/infrastructure/environments/#staging-canary) as this is the first environment deployed to. Make sure you are [configured to use canary](https://next.gitlab.com/). - [ ] If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking [deployments](https://about.gitlab.com/handbook/engineering/deployments-and-releases/deployments/). - See [`#e2e-run-staging` Slack channel](https://gitlab.enterprise.slack.com/archives/CBS3YKMGD) and look for the following messages: - test kicked off: `Feature flag allow_push_to_allowlisted_projects has been set to true on **gstg**` - test result: `This pipeline was triggered due to toggling of allow_push_to_allowlisted_projects feature flag` If you encounter end-to-end test failures and are unable to diagnose them, you may reach out to the [`#s_developer_experience` Slack channel](https://gitlab.enterprise.slack.com/archives/C07TWBRER7H) for assistance. Note that end-to-end test failures on `staging-ref` [don't block deployments](https://about.gitlab.com/handbook/engineering/infrastructure/environments/staging-ref/#how-to-use-staging-ref). ### Before production rollout - [ ] If the change is significant and you wanted to announce in [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C), it best to do it before rollout to `gitlab-org/gitlab-com`. ### Specific rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - Ensure that the feature MRs have been deployed to both production and canary with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Enable for internal GitLab projects first (project-actor): - `/chatops gitlab run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com allow_push_to_allowlisted_projects true` - [ ] Verify that the feature works for the specific actors. ### Preparation before global rollout - [ ] Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. - [ ] Check if the feature flag change needs to be accompanied with a [change management issue](https://about.gitlab.com/handbook/engineering/infrastructure-platforms/change-management/#feature-flags-and-the-change-management-process). Cross link the issue here if it does. - [ ] Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the `@sre-oncall` Slack alias. - [ ] Ensure that documentation exists for the feature, and the [version history text](https://docs.gitlab.com/development/documentation/feature_flags/#add-history-text) has been updated. - [ ] Ensure that any breaking changes have been announced following the [release post process](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes) to ensure GitLab customers are aware. - [ ] Notify the [`#support_gitlab-com` Slack channel](https://gitlab.slack.com/archives/C4XFU81LG) and your team channel ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/development/feature_flags/controls/#communicate-the-change)). ### Global rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - [ ] [Incrementally roll out](https://docs.gitlab.com/development/feature_flags/controls/#process) the feature on production. - Example: `/chatops gitlab run feature set allow_push_to_allowlisted_projects <rollout-percentage> --actors`. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net. - [ ] After the feature has been 100% enabled, wait for [at least one day before releasing the feature](#release-the-feature). ### Release the feature After the feature has been [deemed stable](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#including-a-feature-behind-feature-flag-in-the-final-release), the [clean up](https://docs.gitlab.com/development/feature_flags/controls/#cleaning-up) should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase. You can either [create a follow-up issue for Feature Flag Cleanup](https://gitlab.com/gitlab-org/gitlab/-/issues/new?issuable_template=Feature%20Flag%20Cleanup) or use the checklist below in this same issue. - [ ] Create a merge request to remove the `allow_push_to_allowlisted_projects` feature flag. Ask for review/approval/merge as usual. The MR should include the following changes: - Remove all references to the feature flag from the codebase. - Remove the YAML definitions for the feature from the repository. - [ ] Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before [the monthly release was tagged](https://about.gitlab.com/handbook/engineering/releases/#self-managed-releases-1), the feature can be officially announced in a release blog post: `/chatops gitlab run release check <merge-request-url> <milestone>` - [ ] Close [the feature issue](https://gitlab.com/gitlab-org/gitlab/-/issues/479907) to indicate the feature will be released in the current milestone. - [ ] Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in `#production` channel: `/chatops gitlab run feature delete allow_push_to_allowlisted_projects --dev --pre --staging --staging-ref --production` - [ ] Close this rollout issue. ## Rollback Steps - [ ] This feature can be disabled on production by running the following Chatops command: ``` /chatops gitlab run feature set allow_push_to_allowlisted_projects false ``` - [ ] Disable the feature flag on non-production environments: ``` /chatops gitlab run feature set allow_push_to_allowlisted_projects false --dev --pre --staging --staging-ref ``` - [ ] Delete feature flag from all environments: ``` /chatops gitlab run feature delete allow_push_to_allowlisted_projects --dev --pre --staging --staging-ref --production ```