Add job_token_policies column to CI token allowlist
What does this MR do and why?
- This MR creates adds a
job_token_policiescolumn to theci_job_token_group_scope_links&ci_job_token_project_scope_links. - This column will be used by the project admin to store the list of policies for each allowlist from the UI.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Database
Output of db:migrate
Running: `bundle exec rake db:migrate:down:main VERSION=20240920051810`
main: == [advisory_lock_connection] object_id: 115780, pg_backend_pid: 153
main: == 20240920051810 AddPoliciesToCiProjectScopeLinks: reverting =================
main: -- remove_column(:ci_job_token_project_scope_links, :job_token_policies, :jsonb, {:default=>[]})
main: -> 0.0020s
main: == 20240920051810 AddPoliciesToCiProjectScopeLinks: reverted (0.0105s) ========
main: == [advisory_lock_connection] object_id: 115780, pg_backend_pid: 153Output of db:rollback
Running: `bundle exec rake db:migrate:down:main VERSION=20240923131448`
main: == [advisory_lock_connection] object_id: 116940, pg_backend_pid: 124
main: == 20240923131448 AddPoliciesToCiGroupScopeLinks: reverting ===================
main: -- remove_column(:ci_job_token_group_scope_links, :job_token_policies, :jsonb, {:default=>[]})
main: -> 0.0218s
main: == 20240923131448 AddPoliciesToCiGroupScopeLinks: reverted (0.0328s) ==========
main: == [advisory_lock_connection] object_id: 116940, pg_backend_pid: 124How to set up and validate locally
- Assign policies to either group/project allowlist for CI job tokens
policies = %w[read_project read_build]
Ci::JobToken::ProjectScopeLink.create(source_project: Project.last, target_project: Project.first, job_token_policies: policies)
Ci::JobToken::GroupScopeLink.create(source_project: Project.last, target_group: Group.first, job_token_policies: policies)
Edited by Hinam Mehra