DB Migration: Add setting to toggle inbound job token scope
What does this MR do and why?
Issue Context
As part of the work for:
- Issue: #346298 (closed)
We want to be able to add projects to the job token scope but enforce the restriction on project access in the inverse direction. For outbound in the UI we create a list of projects that the source project can access.
For inbound in the UI we create a list of projects can access the source project.
MR context
This MR adds the database column that acts as an on/off switch for the inbound scope.
Here we also lay down a little model and factory related code used.
| MR | MR description |
|---|---|
| !98673 (merged) | Add a column to ci_job_token_project_scope_links with the outbound and inbound direction
|
| You are here | Add a column to project_ci_cd_settings to toggle the setting inbound inbound_job_token_scope_enabled
|
| !99165 (merged) | Backend: Allow toggling the inbound job token scope |
| !99166 (merged) | Backend: Add project to inbound scope (Graphql and REST) |
| TODO | Backend: Remove project from scope (Graphql and REST) |
| TODO | Backend: Read the inbound scope allow list |
| TODO | Backend: Core logic to restrict access based on the allow list |
| TODO | Flag removal & documentation (will require frontend complete) |
Please also see the feature documentation for the existing feature:
And the design for the additional feature:
![#346298[secure-bot-flow.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/designs/secure-bot-flow.png){kind=link}
Edited by Allison Browne