From c382239bf3f714a2cdc447a9b588127bfc42d0c9 Mon Sep 17 00:00:00 2001
From: Miranda Fluharty <mfluharty@gitlab.com>
Date: Mon, 13 May 2024 16:37:12 -0600
Subject: [PATCH 1/5] Clarify CI Job Token wording

Reword UI text around "Limit access to this project" toggle
Add card header secondary text, wrap it responsively
On md+ viewports, wrap text before it reaches the button
On smaller viewports, make the text full width and
wrap the button below the rest of the text

Changelog: changed
---
 .../token_access/components/inbound_token_access.vue | 12 ++++++++----
 .../components/outbound_token_access.vue             |  2 +-
 app/views/projects/settings/ci_cd/show.html.haml     |  4 ++--
 locale/gitlab.pot                                    | 12 +++++++++---
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue
index 29dbc49f835aed..b881e864509543 100644
--- a/app/assets/javascripts/token_access/components/inbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue
@@ -27,9 +27,12 @@ export default {
   i18n: {
     toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
     toggleDescription: s__(
-      `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`,
+      `CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}.`,
+    ),
+    cardHeaderTitle: s__('CICD|Authorized groups and projects'),
+    cardHeaderDescription: s__(
+      `CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`,
     ),
-    cardHeaderTitle: s__('CICD|Groups and projects with access'),
     settingDisabledMessage: s__(
       'CICD|Access unrestricted, so users with sufficient permissions in this project can authenticate with a job token generated in any other project. Enable this setting to restrict authentication to only job tokens generated in the groups and projects in the allowlist below.',
     ),
@@ -273,7 +276,7 @@ export default {
       <div>
         <gl-card
           class="gl-new-card"
-          header-class="gl-new-card-header gl-border-bottom-0"
+          header-class="gl-new-card-header gl-border-bottom-0 gl-flex-wrap gl-md-flex-nowrap"
           body-class="gl-new-card-body gl-px-0"
         >
           <template #header>
@@ -299,8 +302,9 @@ export default {
                   {{ projectCount }}
                 </span>
               </div>
+              <p class="gl-text-secondary">{{ $options.i18n.cardHeaderDescription }}</p>
             </div>
-            <div class="gl-new-card-actions">
+            <div class="gl-new-card-actions gl-w-full gl-md-w-auto gl-text-right">
               <gl-button
                 v-if="!isAddFormVisible"
                 size="small"
diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue
index c3d08b884fee16..d98a91529d2cf0 100644
--- a/app/assets/javascripts/token_access/components/outbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue
@@ -21,7 +21,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q
 import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql';
 import TokenAccessTable from './token_access_table.vue';
 
-// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
+// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated
 export default {
   i18n: {
     toggleLabelTitle: s__(
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index f21386065bb344..6df016c4ed265e 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -105,11 +105,11 @@
   %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
     .settings-header
       %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
-        = _("Token Access")
+        = _("Job token permissions")
       = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
         = expanded ? _('Collapse') : _('Expand')
       %p.gl-text-secondary
-        = _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.")
+        = _("Control whether CI/CD job tokens can be used to authenticate with this project.")
     .settings-content
       = render 'ci/token_access/index'
 
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index c82d77a48b1d01..f92bc51d84d0bc 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10088,7 +10088,7 @@ msgstr ""
 msgid "CICD|Add an existing project to the scope"
 msgstr ""
 
-msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
+msgid "CICD|Authorized groups and projects"
 msgstr ""
 
 msgid "CICD|Auto DevOps"
@@ -10121,7 +10121,7 @@ msgstr ""
 msgid "CICD|Enable feature to limit job token access to the following projects."
 msgstr ""
 
-msgid "CICD|Groups and projects with access"
+msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist."
 msgstr ""
 
 msgid "CICD|Jobs"
@@ -10163,6 +10163,9 @@ msgstr ""
 msgid "CICD|Use separate caches for protected branches"
 msgstr ""
 
+msgid "CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}."
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
 
@@ -14918,7 +14921,7 @@ msgstr ""
 msgid "Contributor analytics"
 msgstr ""
 
-msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects."
+msgid "Control whether CI/CD job tokens can be used to authenticate with this project."
 msgstr ""
 
 msgid "Control whether to display customer experience improvement content and third-party offers in GitLab."
@@ -29704,6 +29707,9 @@ msgstr ""
 msgid "Job logs and artifacts"
 msgstr ""
 
+msgid "Job token permissions"
+msgstr ""
+
 msgid "Job was retried"
 msgstr ""
 
-- 
GitLab


From 4bf365cc8bc450f7b3cb1ecfeaa2348c2889835d Mon Sep 17 00:00:00 2001
From: Miranda Fluharty <mfluharty@gitlab.com>
Date: Thu, 20 Jun 2024 20:24:23 -0600
Subject: [PATCH 2/5] Tweak wording slightly

Add description of what disabled toggle means
---
 .../token_access/components/inbound_token_access.vue            | 2 +-
 locale/gitlab.pot                                               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue
index b881e864509543..593452e64b643c 100644
--- a/app/assets/javascripts/token_access/components/inbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue
@@ -27,7 +27,7 @@ export default {
   i18n: {
     toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
     toggleDescription: s__(
-      `CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}.`,
+      `CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}.`,
     ),
     cardHeaderTitle: s__('CICD|Authorized groups and projects'),
     cardHeaderDescription: s__(
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index f92bc51d84d0bc..ad42a966ad3d3f 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10163,7 +10163,7 @@ msgstr ""
 msgid "CICD|Use separate caches for protected branches"
 msgstr ""
 
-msgid "CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}."
+msgid "CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}."
 msgstr ""
 
 msgid "CICD|group enabled"
-- 
GitLab


From 2c5521d44018f245f25cfaf8bf67f55b600a596f Mon Sep 17 00:00:00 2001
From: Miranda Fluharty <mfluharty@gitlab.com>
Date: Tue, 25 Jun 2024 13:53:58 -0600
Subject: [PATCH 3/5] Update section name in search settings

Settings sections were added to the command palette
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153452
---
 lib/search/settings.rb | 2 +-
 locale/gitlab.pot      | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/lib/search/settings.rb b/lib/search/settings.rb
index 9f83af8548198a..cb18b0d27a038f 100644
--- a/lib/search/settings.rb
+++ b/lib/search/settings.rb
@@ -58,7 +58,7 @@ def project_ci_cd_settings(project)
           href: project_settings_ci_cd_path(project, anchor: 'js-pipeline-triggers') },
         { text: _("Deploy freezes"),
           href: project_settings_ci_cd_path(project, anchor: 'js-deploy-freeze-settings') },
-        { text: _("Token Access"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
+        { text: _("Job token permissions"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
         { text: _("Secure Files"),
           href: project_settings_ci_cd_path(project, anchor: 'js-secure-files') }
       ]
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index ad42a966ad3d3f..5a2b0df8d9dd2b 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -55409,9 +55409,6 @@ msgstr ""
 msgid "Token"
 msgstr ""
 
-msgid "Token Access"
-msgstr ""
-
 msgid "Token name"
 msgstr ""
 
-- 
GitLab


From 944de9939af8ab3270371dd991bb180cacbe999d Mon Sep 17 00:00:00 2001
From: Miranda Fluharty <mfluharty@gitlab.com>
Date: Tue, 25 Jun 2024 14:04:55 -0600
Subject: [PATCH 4/5] Update section name in documentation

Replace instances of "Expand **Token acess**"
with "Expand **Job token permissions**"
---
 doc/ci/jobs/ci_job_token.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 1cfb6cb6a2d0d8..0b0624b62ae05c 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -112,7 +112,7 @@ To add a group or project to the allowlist:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects.
    It is a security risk to disable this feature, so project maintainers or owners should
    keep this setting enabled at all times.
@@ -172,7 +172,7 @@ To disable the job token scope allowlist:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Toggle **Limit access _to_ this project** to disabled.
    Enabled by default in new projects.
 
@@ -223,7 +223,7 @@ To configure the job token scope:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Toggle **Limit access _from_ this project** to enabled.
 1. Optional. Add existing projects to the token's access scope. The user adding a
    project must have the Maintainer role in both projects.
-- 
GitLab


From 8a7ec924ac522ed35cc4965d86c5673075427413 Mon Sep 17 00:00:00 2001
From: Miranda Fluharty <mfluharty@gitlab.com>
Date: Thu, 27 Jun 2024 21:35:46 +0000
Subject: [PATCH 5/5] Add version history note

For each documentation section mentioning this settings section,
add a version history note about the name change
---
 doc/ci/jobs/ci_job_token.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 0b0624b62ae05c..efb77896370398 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -88,6 +88,7 @@ with a job token from any project. These resources can also be [limited to only
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10.
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
 > - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 You can add groups or projects to your job token allowlist to allow access your project's resources
 with a job token for authentication. By default, the allowlist of any project only includes itself.
@@ -151,6 +152,7 @@ To set a feature to be only visible to project members:
 ### Allow any project to access your project
 
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 WARNING:
 It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise
@@ -214,6 +216,7 @@ to make an API request to project `B`, then `B` must be added to the allowlist f
 ### Configure the job token scope (deprecated)
 
 > - **Limit CI_JOB_TOKEN access** setting [renamed to **Limit access _from_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 Prerequisites:
 
-- 
GitLab