I'm an eternal optimist
I noticed that we have only added this field to group and project variables so far - do we also plan to add the same option to instance variables?
I haven't heard any demand for this at the instance level. We certainly can if we get feedback for the need once this is released.
Ah, got it. Thanks for clarifying @carolinesimpson. We will figure out timing!
@yonghyun.jin13 thanks for your interest in contributing to GitLab! This issue is currently still pending design and is not ready for implementation. I recommend searching for issues which have been tagged as Seeking community contributions or are in workflowready for development.
@shampton thanks! Should we update the docs to indicate the known problem for now? We can remove it when it's resolved (to avoid duplicates). WDYT?
@dhershkovitch are you working on a release post for this? I think it's worth a secondary post item.
@shampton this is tagged for grouprunner but this also ties to grouppipeline security. Can we please have one of our developers also look at this?
@urbanwax I don't see any documentation in your MR. Is that something forthcoming? Thanks!
Currently the CI job token allowlist is set by the project which grants access. It is unclear to the receiving projects who has granted this access. This proposal is to display of a list of "granting projects". This enables specific projects to know if they have all the "required" permissions to run their pipeline.
Internal only: Dovetail
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Administrators (or de facto organization administrators) may want to enforce certain CI job token permissions at the group level. This can prevent 1) project level users from removing certain inherited allowlist permissions or 2) modifying the permissions for a specific project.
TBD
TBD.
Yes, specific details TBD.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
@shampton can we please get a weight for milestone planning? Thanks!
Update 2024-03-26
cc @jreporter
@bonnie-tsang I think we need to update the text here. It implies this feature can be disabled (which it cannot). A few customers pointed this out during solution validation ("oh great, we can disable it for a group!").