Merge branch 'hhoerl/38801-switch-FF_GIT_URLS_WITHOUT_TOKENS-off' into 'main'

Switch the default for FF_GIT_URLS_WITHOUT_TOKENS back to false

See merge request gitlab-org/gitlab-runner!5572



Merged-by: Romuald Atchadé <ratchade@gitlab.com>
Approved-by: Romuald Atchadé <ratchade@gitlab.com>
Approved-by: Nicole Williams <nwilliams@gitlab.com>
Approved-by: Roshni Sarangadharan <rsarangadharan@gitlab.com>
Co-authored-by: Hannes Hörl <hhoerl@gitlab.com>

docs/configuration/feature-flags.md

@@ -83,7 +83,7 @@ The flags are defined in `./helpers/featureflags/flags.go` file.
 | `FF_USE_LEGACY_GCS_CACHE_ADAPTER` | `false` | {{< icon name="dotted-circle" >}} No |  | When enabled, the legacy GCS Cache adapter is used. When disabled (default), a newer GCS Cache adapter is used which uses Google Cloud Storage's SDK for authentication. This should resolve authentication problems in environments that the legacy adapter struggled with, such as workload identity configurations in GKE. |
 | `FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR` | `false` | {{< icon name="dotted-circle" >}} No |  | When enabled, removes the `umask 0000` call for jobs executed with the Kubernetes executor. Instead, the runner tries to discover the user ID (UID) and group ID (GID) of the user the build container runs as. The runner also changes the ownership of the working directory and files by running the `chown` command in the predefined container (after updating sources, restoring cache, and downloading artifacts). |
 | `FF_USE_LEGACY_S3_CACHE_ADAPTER` | `false` | {{< icon name="dotted-circle" >}} No |  | When enabled, the legacy S3 Cache adapter is used. When disabled (default), a newer S3 Cache adapter is used which uses Amazon's S3 SDK for authentication. This should resolve authentication problems in environments that the legacy adapter struggled with, such as custom STS endpoints. |
-| `FF_GIT_URLS_WITHOUT_TOKENS` | `true` | {{< icon name="dotted-circle" >}} No |  | When enabled, GitLab Runner doesn't embed the job token anywhere during Git configuration or command execution. Instead, it sets up a Git credential helper that uses the environment variable to obtain the job token. This approach limits token storage and reduces the risk of token leaks. |
+| `FF_GIT_URLS_WITHOUT_TOKENS` | `false` | {{< icon name="dotted-circle" >}} No |  | When enabled, GitLab Runner doesn't embed the job token anywhere during Git configuration or command execution. Instead, it sets up a Git credential helper that uses the environment variable to obtain the job token. This approach limits token storage and reduces the risk of token leaks. |
 | `FF_WAIT_FOR_POD_TO_BE_REACHABLE` | `false` | {{< icon name="dotted-circle" >}} No |  | When enabled, the runner waits for the Pod status to be 'Running', and for the Pod to be ready with its certificates attached. |
 | `FF_USE_NATIVE_STEPS` | `true` | {{< icon name="dotted-circle" >}} No |  | When enabled and when a job is specified using the 'run' keyword, steps are executed using [Native Step Runner Integration](../executors/docker.md#native-step-runner-integration). This applies only to executors that support native steps integration like Docker, Docker Autoscaler, Docker for Windows. |
 | `FF_MASK_ALL_DEFAULT_TOKENS` | `true` | {{< icon name="dotted-circle" >}} No |  | When enabled, GitLab Runner automatically masks all default tokens patterns. |

helpers/featureflags/flags.go

@@ -362,7 +362,7 @@ var flags = []FeatureFlag{
 	},
 	{
 		Name:         GitURLsWithoutTokens,
-		DefaultValue: true,
+		DefaultValue: false,
 		Deprecated:   false,
 		Description: "When enabled, GitLab Runner doesn't embed the job token anywhere during Git configuration or command " +
 			"execution. Instead, it sets up a Git credential helper that uses the environment variable to obtain the job token. " +