Allow projects to add groups in their CI_JOB_TOKEN allow list

Problem to solve

Users can only add one project at a time to the allowlist for which projects can use their CI_JOB_TOKEN to access this project. For organizations that have a lot of projects within each group, this process can be quite tedious, and there's a chance of missing out on some.

User experience goal

Users should be allowed to add a group, rather than needing to individually add each project within that group to their inbound token access list.

Proposal

Allow groups to be added to the inbound CI_JOB_TOKEN access list.

Overall behaviour

• The feature is enabled by default, with the project itself included in the allowlist. Behaviour:
  • Feature enabled (Toggle on):
    • Allows the project to be accessed by other groups or projects.
    • The allowlist is active.
  • Feature disabled (Toggle off):
    • Restricts access to the current project only.
    • The allowlist is ignored.
• Users can add a group or project to the allowlist.
• When user add a group to the allowlist, the projects associated with this group will not count towards the 200-project limit.

Design and details

👉 See the most updated design by clicking the Designs tab

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Priyanka (Platform Engineer)

More background and context for this issue

• The limit a project's job token access is deprecated and will be removed in the 17.0 milestone.
• Related issue: Configure Job Token scope at group level.
• Refer to the research issue Solution validation: CI_JOB_TOKEN overall behavior for related context and scenarios in comments.

Implementation plan

MR	status
1a. core functionality: Allow groups to be added to the inbound allowlist (!151693 - merged)	✅
1b. update documentation to read "group or project" instead of just "project": Updates CI/CD job token docs (!152440 - merged)	✅
1c. relabel the toggle: Rename "Limit access to this project" to "Allow... (!151704 - merged)	🚫 reverted
2a. make the table look nicer: Improve the look of the token access table (!151728 - merged)	✅
2b. make the form look nicer: Improve token access add form (!151730 - merged)	✅
2c. restore the improvements from !151704 without renaming the toggle: Adjust project settings CI_JOB_TOKEN section wo... (!156989 - merged)	✅

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.