Edit job token policies for CI scope (GraphQL)
What does this MR do and why?
- Follows from !167872 (merged)
- Creates a GraphQL mutation to allow
job_token_policies
to be updated for an allowlist entry.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Enable feature flag
add_policies_to_ci_job_token
-
Navigate to
/-/graphql_explorer
and run the following mutations:
mutation {
ciJobTokenScopeAddGroupOrProject(input: {
projectPath: "flightjs/Flight",
targetPath: "gitlab-org",
jobTokenPolicies: [READ_GROUP]
}) {
errors
}
}
mutation {
ciJobTokenScopeUpdatePolicies(input: {
projectPath: "flightjs/Flight",
targetPath: "gitlab-org",
jobTokenPolicies: [READ_GROUP, READ_PROJECT]
}) {
errors
}
}
- In the rails console, confirm that the correct policies have been saved:
Ci::JobToken::GroupScopeLink.last
- You can repeat steps 2 and 3 with
targetPath = "gitlab-org/gitlab-test"
(i.e. targeting a project instead of a group). The model to check would beCi::JobToken::ProjectScopeLink
Edited by Hinam Mehra