## Summary Roll out the feature (https://gitlab.com/gitlab-org/gitlab/-/work_items/600347) currently behind the expose_last_used_ips_for_access_tokens feature flag. - DRI: @sgarg_gitlab - Team Slack channel: #<to be confirmed by DRI> ## What could go wrong? Enabling this flag exposes last_used_ips in personal, project, and group access token API responses. Blast radius is limited to read-only data exposure — no writes or mutations. Risk is low; no data loss possible. Watch for unexpected performance degradation on token list endpoints. ## Rollout Run all production /chatops in #production (https://gitlab.slack.com/archives/C101F3796). Background: incremental rollout process (https://docs.gitlab.com/development/feature_flags/controls/#process), feature actors (https://docs.gitlab.com/development/feature_flags/#feature-actors). **Non-production** ``` /chatops gitlab run feature set expose_last_used_ips_for_access_tokens 50 --actors --dev --pre --staging --staging-ref /chatops gitlab run feature set expose_last_used_ips_for_access_tokens true --dev --pre --staging --staging-ref ``` **Production** — percentage rollout (wait ≥15 min between steps, watch dashboards): ``` /chatops gitlab run feature set expose_last_used_ips_for_access_tokens <percentage> --actors ``` Or target specific actors instead: ``` /chatops gitlab run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss expose_last_used_ips_for_access_tokens true /chatops gitlab run feature set --group=gitlab-org,gitlab-com expose_last_used_ips_for_access_tokens true /chatops gitlab run feature set --user=sgarg_gitlab expose_last_used_ips_for_access_tokens true ``` ## Before global rollout Confirm the relevant gotchas before going to 100% — see enabling a feature for GitLab.com (https://docs.gitlab.com/development/feature_flags/controls/#enabling-a-feature-for-gitlabcom): - Docs + version history (https://docs.gitlab.com/development/documentation/feature_flags/) updated - Breaking changes (https://docs.gitlab.com/development/documentation/release_notes/#deprecations-removals-and-breaking-changes) announced, if any - Change management issue (https://handbook.gitlab.com/handbook/engineering/infrastructure-platforms/change-management/#feature-flags-and-the-change-management-process) opened, if required - External API consumers (https://docs.gitlab.com/development/feature_flags/#do-not-use-feature-flags-in-external-api-consumers) handled with a fail-open mechanism, if applicable ## Cleanup Remove the flag once deemed stable (https://handbook.gitlab.com/handbook/product-development/how-we-work/product-development-flow/feature-flag-lifecycle/#feature-flag-lifecycle) — see cleaning up (https://docs.gitlab.com/development/feature_flags/controls/#cleaning-up). Track it here, or open a follow-up Feature Flag Cleanup issue (https://gitlab.com/gitlab-org/gitlab/-/issues/new?description_template=Feature%20Flag%20Cleanup). Remove the flag and its YAML definition from the codebase, then: ``` /chatops gitlab run release check <merge-request-url> 19.2 /chatops gitlab run feature delete expose_last_used_ips_for_access_tokens --dev --pre --staging --staging-ref --production ``` ## Rollback ``` /chatops gitlab run feature set expose_last_used_ips_for_access_tokens false # production /chatops gitlab run feature set expose_last_used_ips_for_access_tokens false --dev --pre --staging --staging-ref # non-production /chatops gitlab run feature delete expose_last_used_ips_for_access_tokens --dev --pre --staging --staging-ref --production # remove entirely ``` ~"group::authentication" ~"feature flag" ~"type::feature" ~"feature::addition"