►
From YouTube: CI_JOB_TOKEN discussion 2023-07-24
Description
Sync discussion to decide the direction with an ongoing MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121750
A
Cutting
this
24th
of
July
and
we
are
meeting
to
discuss
the
details
related
to
CI
job
token,
access
with
groups
in
general
and,
like
there
have
been
there's
been
a
lot
of
conversation
that
went
on
in
the
merge
request
that
was
created
by
Marcus,
and
we
just
want
to
like
make
sure
that
we
agree
on
the
direction
forward:
yeah,
okay,
let's
so
my
first
question
I
mean
I'll
vocalize
what
Fabio
has
mentioned,
so
he
says
that
the
suggestion
from
Marcel
the
most
recent
one
where
we
are
adding
a
toggle
to
allow
all
the
projects
in
the
same
group
to
have
access
to
this
particular
project,
to
provide
a
checkbox
together,
is
a
good
starting
point.
A
A
A
Foreign
by
the
way
here
is
the
proposal
that
we
are
talking
about
so
Marcel
mentioned
like
if
we
just
add
a
check
box
here
that
says
that
give
access
to
the
projects
in
the
same
group
to
the
group
that
this
particular
project
belongs
to.
So
that's
what
we
explored
here
and
based
on
Fabio's
comment,
which
is
like
the
same,
can
be
achieved
if
we
allow
us
the
project
allow
the
project
to
allow
list
an
entire
group.
The
project
adds
its
top
level
group
to
the
allow
list.
Now.
B
A
In
this
particular
one
I
mentioned
that
users
can
add
both
groups
and
project
to
their
allow
list
and
like
we
can
just
differentiate
between
those
in
the
table
by
mentioning
the
namespace
okay.
B
I
think
that
I
think
that
makes
sense
to
me
I
mean
we
could
also
have
a
separate,
separate
list
for
groups.
I
guess,
but
differentiating
them
by
a
Nikon
probably
makes
sense
I.
The
only
thing
I
worry
about
is,
if
there's
any
conflict
between
like
I
guess,
there's
no
way
like
there
would
be
a
conflict
between
like
the
group,
The
Project
name
and
the
like
a
group
name.
So,
oh.
A
Marcel
is
here
yay,
because
Marshall
did
have
some
questions
about
that
approach.
So
Alison,
if
you
can
repeat
your
question,
I
think.
B
B
Okay,
instead
of
the
project
path,.
A
Got
it
the
muscle
to
summarize
what
Allison
is
talking
about?
We
looked
at
Fabio's
comment
that
the
suggestion
that
you
had
provided
that
I
worked
on
here
and
added
this
toggle
to
give
access
to
projects
in
the
same
group.
The
same
can
be
achieved
if
we
allow,
if
you
are
the
project
or
Lawless
to
an
entire
group.
A
Now
there
was
a
proposal
that
I
worked
on
like
a
few
comments
before
which
kind
of
suggested
the
same,
like
you
can
paste
group
or
project
path
here
and
add
both
like
should
be
able
to
add
both
to
allow
list
and
Alison
was
just
mentioning
whether
or
not
like
she
was
just
thinking
out
a
lot
if
both
can
be
shown
in
the
same
list
or
we
need
to
separate
out
the
list
for
grouper
project
but
I.
Remember
you
having
some
concerns
with
the
overall
approach
here
in
this
comment.
C
Yeah
sorry
I'm
late
there
took
a
while
to
get
the
kids
to
bed.
I
didn't
actually
have
any
real
concerns
with
the
approach.
Yeah
I
think
it
was
a
little
bit
above
that
that
some
other
people
had
concerns
and
I
was
like
I,
actually
think
it'd
be
great
to
be
able
to
add
a
group
in
the
end,
and
there
were
some
different
discussions
about
projects
versus
groups
and-
and
let
me
just
scroll
up
I'm
looking
at
it
right
now
as
well.
C
Basically,
my
idea
is
just
that
there
was
a
whole
bunch
of
discussions
about
multiple
groups
and
projects
and
I
think
permissions,
and
things
like
that
and
I
was
just
just
throwing
out
an
idea
trying
to
reduce
the
scope
to
just
a
single
group,
and
it's
just
basically
what
would
I
want
and
in
the
docs
project,
generates
review
apps
from
five
different
projects,
but
all
of
those
projects
are
in
the
same
group
as
the
docs
project.
C
C
But
if
you
just
allow
people
that
any
group
they
could,
they
could
add
the
group
that
they're
part
of
into
an
allow
list
and
it
would
achieve
the
same
effect,
which
is
totally
true
as
well
so
yeah.
That's
all
I
was
thinking
just
just
an
idea
to
potentially
reduce
the
scope,
but
not
not
something
that
I
think
would
be
would
be
better
or
worse.
Just
smaller.
D
Yeah
the
thing
with
doing
groups
is
right
now
like
we're
getting
so
so
much
I'll
call
it
feedback
from
our
customers
right
like
when
we're
gonna
change
the
until
you
change
the
behavior
in
17-0
and
so
I
think.
If
we
were
to
do
it
by
groups
like
that
would
be
more
lovable
concept
and.
D
Like
it
would,
it
would
really
I
think
reduce
a
lot
of
the
heartburn
as
well
like
and
so
I
don't
know
if
it's
worth
doing
like
an
interim
step
with
just
projects
because
like
right
now
like
that's
what
the
complaining
is
about.
B
Yeah
I
do
agree,
though
I
mean
I,
I
haven't
done
like
customer
interviews
or
anything
obviously,
but
I
sort
of
agree
that,
like
probably
a
common
use
case,
is
just
within
the
same
group.
But
from
my
perspective
from
the
back
end,
I
would
still
develop
that
button
with
the
capabilities
of
adding
any
group
to
the
allow
list
like
that
would
just
be
the
way
I
I.
Don't
think
it
would
be
much
more
work
either
way
from
a
back-end
perspective.
B
C
Version
the
way
I
was
guessing
was
that
people
on
SAS
would
prefer
just
the
the
toggle,
because
I
think
a
lot
of
the
paid
customers.
They
just
have
their
own
namespace
and
they
can
just
say
well
just
add
my
my
group
to
the
to-
or
just
you
know,
enable
the
toggle
for
my
local
group,
but
then
it
would
be
more
for
self-managed
where
they
would
have.
You
know
multiple
groups
and
things
and
a
whole
variety
of
you
know
different
ways
that
they
could
set
it
up.
B
A
I
am
in
favor
of
like
directly
developing
the
capability
to
add
groups,
because
that
might
save
us
some
time
in
reworking
on
a
certain
things.
B
I,
don't
have
a
lot
of
context
in
that,
because
I've
been
working
on
AI
stuff,
so
I
haven't
really
been
involved
in
that
one
I'm
not
sure
who's
reviewing
it
currently.
Is
it
Fabio.
A
It
started
off
with
the
like,
with
the
proposal
to
allow
app
wait.
What
was
that.
C
I
just
watched
the
video
and
it
seems
like
it's
just
it's
using
the
same
interface,
but
you
instead
of
putting
a
project
path,
you'd
put
a
group
and
then
it
would
just
put
all
of
the
projects
in
the
list
of
the
project.
So
it
would
still
be
you
would
put
in
group
and
all
of
the
projects
within
that
group
would
then
populate
into
the
allow
list.
So
you're,
not
adding
a
group
you're,
adding
all
projects
of
a
group
to
the
project.
A
lot
list.
A
C
A
A
C
A
B
A
B
Trying
to
add
a
group
and
it
adds
all
the
projects.
It
looks
like
his
comment
on
that.
A
Mark
does
that
that's
when
I
also
created
this
issue
and
added
a
proposal
this
one,
the
one
that
I
had
showed
that
allows
adding
groups.
It
was
like
a
part
of
the
same
Mr
like
from
here
I
thought:
there's
a
need
to
document
it
and
created
that.
But
then
we
like
changed
the
approach
a
couple
times
and
I.
We
can
either
like
go
back
and
request
Marcus
to
like
take
the
follow
the
same
design
or.
C
I
I
would
say
like
like
just
change
the
design
and
just
say
you
know
this
is
the
requirement.
This
is
what
it
what
it
has
to
be.
Unfortunately,
like
we
appreciate
it,
what
do
you
want
to
do,
but
it
does
like
it
does
have
to
follow
this
design.
So,
if
you'd
like
to
work
on
it
great,
we
can
coach
you
with
it.
C
If,
if
we've
taken
it
down
a
path
that
you
don't
want
to
work
on
it
anymore,
that's
fine!
We
we
appreciate
the
the
work
that
you
put
into
it.
A
That
sounds
like
a
plan:
I
can
or
Justin
can
draft
like
a
message
there
and
see
what
happens.
Oh.
C
A
D
A
That
for
one
of
the
recent
merge
requests,
it
was
for.
A
Yeah
overriding
variables,
UI
checkbox,.