Allowing creation of releases without need for a personal token
Problem to solve
Performing Gitlab Releases from CI/CD through the API requires the use of a personal token, which may jeopardize security if there are other members of sufficient access on that project.
Intended users
Unknown
Further details
Currently, if one wishes to create a project release from that project's Gitlab CI/CD, they would have to create and add their own personal token as a masked and protected variable and use the Gitlab API. However, this presents a security risk if there are other members on the team with maintainer or owner access who can view this masked and protected key from the UI: these team members, through the personal token can now access any project under the control of the person who generated the personal token.
Proposal
One solution could be deploy tokens, which allow for granular per project access, and is automatically passed to the CI/CD system. By allowing these to have write access, they can be used by the CI/CD system to perform Gitlab releases through the API. In this way, there is no need for a team member to post their own personal access token to a project.
Alternatively, we could have a dedicated release token which is activated through the UI, that would give permissions for the CI/CD system to generate/edit releases and do nothing else.