Revoke rotated token only after new token 1st use in v18.5.0-ee (!55) · Merge requests · Stéphane Talbot / GitLab

What does this MR do and why?

Revoke rotated token only after new token 1st use

The rotate API allows to automate rotation of personal, project and group access tokens. However, if for some reason (e.g. connection drop) the new token value fails to be recorded, there is no way to obtain the token or a new one except by manual intervention.

To mitigate this risk of disruption in an automated token rotation process, this modification delays the revocation of a rotated token until the new token is used.

Changelog: changed

References

Screenshots or screen recordings

Before	After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Revoke rotated token only after new token 1st use in v18.5.0-ee

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports