Skip to content

Allow job token scope to be configured while disabled

Problem

When a user wants to configure the job token scope by adding the projects that need to be accessed by CI_JOB_TOKEN, they first need to enabled the setting.

By enabling the setting it will immediately enforce the use of the job token scope for any running jobs. This could cause pipelines to fail since the maintainer is still in the process of adding the relevant projects to the token scope.

Solution

Allow the job token scope to be configured (e.g. projects to be added/removed) while the setting is disabled.

Proposal

From the backend perspective we would need to remove the following lines to allow the job token scope to always be read and written. We would need to fix any failing specs.

diff --git a/app/graphql/resolvers/ci/job_token_scope_resolver.rb b/app/graphql/resolvers/ci/job_token_scope_resolver.rb
index ca76a7b94fc..50249d40552 100644
--- a/app/graphql/resolvers/ci/job_token_scope_resolver.rb
+++ b/app/graphql/resolvers/ci/job_token_scope_resolver.rb
@@ -12,8 +12,6 @@ class JobTokenScopeResolver < BaseResolver
       def resolve
         authorize!(object)
 
-        return unless object.ci_job_token_scope_enabled?
-
         ::Ci::JobToken::Scope.new(object)
       end
     end
diff --git a/app/services/concerns/ci/job_token_scope/edit_scope_validations.rb b/app/services/concerns/ci/job_token_scope/edit_scope_validations.rb
index 23053975313..427aebf397e 100644
--- a/app/services/concerns/ci/job_token_scope/edit_scope_validations.rb
+++ b/app/services/concerns/ci/job_token_scope/edit_scope_validations.rb
@@ -9,10 +9,6 @@ module EditScopeValidations
           "not exist or you don't have permission to perform this action"
 
       def validate_edit!(source_project, target_project, current_user)
-        unless source_project.ci_job_token_scope_enabled?
-          raise ValidationError, "Job token scope is disabled for this project"
-        end
-
         unless can?(current_user, :admin_project, source_project)
           raise ValidationError, "Insufficient permissions to modify the job token scope"
         end

From the frontend perspective we would need to always display the list of projects in the scope even if the setting is disabled.

Proposal(UX)

image

Edited by Veethika Mishra