Improving PAT expiration behavior

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

After extending PAT expiration to GitLab.com, we'll need to add additional functionality to support a good user experience for token expiration and to support the compliance reporting needs of an organization.

Additional details

A PAT should not become inactive as this would completely halt productivity. Expiration should generate a notice to the appropriate stakeholder(s) (e.g. Group Owners) to empower them to take action. Developers should be able to still push code and operate with expired tokens, but should be informed that their access may soon be interrupted or facilitate a PAT rotation.

This could generate an issue on the expiration event for documentation and to support a workflow of remediation to rotate the expired token.

An Administrator or Group Owner should be able to optionally define a more strict workflow based on their company policies for credential rotation.

Proposal

Add an alert for the Group Owner when a PAT expires. We will need to determine the most appropriate channel or mechanism for this.

Provide an experience for Developers to facilitate a PAT rotation. A potential workflow could be:

1. A Developer takes action using a PAT
2. Present an informative message: "Your PAT has expired. Your activity will be restricted after 7 days if you do not rotate your PAT."
3. Log the expiration event in Audit Events

Permissions and Security

Only Administrators or Group Owners of group-managed accounts should be able to see and modify this setting.