Skip to content

Edit job token policies for CI scope (GraphQL)

Hinam Mehra requested to merge hmehra-edit-job-token-policies-graphql into master

What does this MR do and why?

  • Follows from !167872 (merged)
  • Creates a GraphQL mutation to allow job_token_policies to be updated for an allowlist entry.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable feature flag add_policies_to_ci_job_token

  2. Navigate to /-/graphql_explorer and run the following mutations:

mutation {
  ciJobTokenScopeAddGroupOrProject(input: {
    projectPath: "flightjs/Flight",
    targetPath: "gitlab-org",
    jobTokenPolicies: [READ_GROUP]
  }) {
    errors
  }
}
mutation {
  ciJobTokenScopeUpdatePolicies(input: {
    projectPath: "flightjs/Flight",
    targetPath: "gitlab-org",
    jobTokenPolicies: [READ_GROUP, READ_PROJECT]
  }) {
    errors
  }
}
  1. In the rails console, confirm that the correct policies have been saved:
Ci::JobToken::GroupScopeLink.last
  1. You can repeat steps 2 and 3 with targetPath = "gitlab-org/gitlab-test" (i.e. targeting a project instead of a group). The model to check would be Ci::JobToken::ProjectScopeLink

Resolves gitlab-org/govern/authorization/team-tasks#77

Edited by Hinam Mehra

Merge request reports

Loading