write_repository scope to Deploy Tokens
Problem to solve
The overall problem is that there is no per-project service account. Deploy tokens are already within project scope, so if they had the write access to repo/API they would already work. If a per-project service account was needed, it would need LDAP. The idea is to make deploy tokens essentially function like deploy keys, but without that causing other issues.
We are attempting to automate the publishing of releases/binaries to GitLab on merge to master. Specifically, we want to be able to push a new Git tag as well as craft a release (along with some binaries) from within GitLab CI.
Further details
Currently, we would need to use an SSH key (for pushing the Git tag) and a user's deploy token (for creating the release and uploading binaries). This second part is the area that worries us. That user token has access to write to everything as that user. We want to limit it to just the specified repository.
Proposal
A new scope to be added to Deploy Tokens (write_repository) that can be used inside a GitLab CI pipeline. This would give the build access to write to the repository both as code and via API.
What does success look like, and how can we measure that?
If an automated pipeline via GitLab CI can publish a new Git tag, GitLab release, and associated artifacts without using a user's token.