From cb577d9363a8869acaaf020a74a210c6298091d7 Mon Sep 17 00:00:00 2001 From: Miranda Fluharty Date: Wed, 1 May 2024 14:54:25 -0600 Subject: [PATCH 1/4] Rename "Limit access..." to "Grant access..." Rename inbound token access CI/CD settings toggle from "Limit access to this project" to "Grant access to this project" Changelog: changed --- .../token_access/components/inbound_token_access.vue | 2 +- .../token_access/components/outbound_token_access.vue | 4 ++-- data/deprecations/15-9-insecure-ci-job-token.yml | 2 ++ data/deprecations/16-5-ci-job-token-limit-setting.yml | 2 ++ doc/api/project_job_token_scopes.md | 7 ++++--- doc/ci/debugging.md | 3 ++- doc/ci/jobs/ci_job_token.md | 10 ++++++---- doc/update/deprecations.md | 4 ++++ locale/gitlab.pot | 8 ++++---- 9 files changed, 27 insertions(+), 15 deletions(-) diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue index 31575cd36b7184..72327b0b4efa5b 100644 --- a/app/assets/javascripts/token_access/components/inbound_token_access.vue +++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue @@ -24,7 +24,7 @@ import TokenAccessTable from './token_access_table.vue'; export default { i18n: { - toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'), + toggleLabelTitle: s__('CICD|Grant access to this project'), toggleDescription: s__( `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`, ), diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue index aad46e730d8389..e7214f54fa9aef 100644 --- a/app/assets/javascripts/token_access/components/outbound_token_access.vue +++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue @@ -20,7 +20,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql'; import TokenAccessTable from './token_access_table.vue'; -// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated +// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated export default { i18n: { toggleLabelTitle: s__( @@ -39,7 +39,7 @@ export default { projectsFetchError: __('There was a problem fetching the projects'), scopeFetchError: __('There was a problem fetching the job token scope value'), outboundTokenAlertDeprecationMessage: s__( - `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`, + `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Grant access to this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`, ), disableToggleWarning: s__('CICD|Disabling this feature is a permanent change.'), }, diff --git a/data/deprecations/15-9-insecure-ci-job-token.yml b/data/deprecations/15-9-insecure-ci-job-token.yml index 1be584b99dea8f..38bcfc1059f73c 100644 --- a/data/deprecations/15-9-insecure-ci-job-token.yml +++ b/data/deprecations/15-9-insecure-ci-job-token.yml @@ -20,6 +20,8 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later. In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. + + In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. # # OPTIONAL END OF SUPPORT FIELDS # diff --git a/data/deprecations/16-5-ci-job-token-limit-setting.yml b/data/deprecations/16-5-ci-job-token-limit-setting.yml index 7a4b3af500b116..bc00539776917e 100644 --- a/data/deprecations/16-5-ci-job-token-limit-setting.yml +++ b/data/deprecations/16-5-ci-job-token-limit-setting.yml @@ -20,6 +20,8 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later. In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. + + In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. # # OPTIONAL END OF SUPPORT FIELDS # diff --git a/doc/api/project_job_token_scopes.md b/doc/api/project_job_token_scopes.md index 761820784c4cbd..e1cb5bec651a9c 100644 --- a/doc/api/project_job_token_scopes.md +++ b/doc/api/project_job_token_scopes.md @@ -34,7 +34,7 @@ If successful, returns [`200`](rest/index.md#status-codes) and the following res | Attribute | Type | Description | |--------------------|---------|-------------| -| `inbound_enabled` | boolean | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. | +| `inbound_enabled` | boolean | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. | | `outbound_enabled` | boolean | Indicates if the CI/CD job token generated in this project has access to other projects. [Deprecated and planned for removal in GitLab 18.0](../update/deprecations.md#default-cicd-job-token-ci_job_token-scope-changed). | Example request: @@ -55,8 +55,9 @@ Example response: ## Patch a project's CI/CD job token access settings > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. -Patch the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project. +Patch the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project. ```plaintext PATCH /projects/:id/job_token_scope @@ -67,7 +68,7 @@ Supported attributes: | Attribute | Type | Required | Description | |-----------|----------------|----------|-------------| | `id` | integer/string | Yes | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). | -| `enabled` | boolean | Yes | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. | +| `enabled` | boolean | Yes | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. | If successful, returns [`204`](rest/index.md#status-codes) and no response body. diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md index d78c6163573c72..a0a1e25663d9f5 100644 --- a/doc/ci/debugging.md +++ b/doc/ci/debugging.md @@ -433,6 +433,7 @@ Ensure that included configuration files do not create a loop of references to e ### `Failed to pull image` messages > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. A runner might return a `Failed to pull image` message when trying to pull a container image in a CI/CD job. @@ -456,7 +457,7 @@ For example: These errors can happen if the following are both true: -- The [**Limit access _to_ this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects) +- The [**Grant access to this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects) option is enabled in the private project hosting the image. - The job attempting to fetch the image is running in a project that is not listed in the private project's allowlist. diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index caa3402985407c..8ee244dff47371 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -88,6 +88,7 @@ with a job token from any project. These resources can also be [limited to only > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10. > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. > - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. You can add groups or projects to your job token allowlist to allow access your project's resources with a job token for authentication. By default, the allowlist of any project only includes itself. @@ -109,7 +110,7 @@ To add a group or project to the allowlist: 1. On the left sidebar, select **Search or go to** and find your project. 1. Select **Settings > CI/CD**. 1. Expand **Token Access**. -1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects. +1. Ensure the **Grant access to this project** toggle is enabled. Enabled by default in new projects. It is a security risk to disable this feature, so project maintainers or owners should keep this setting enabled at all times. 1. Select **Add group or project**. @@ -147,13 +148,14 @@ To set a feature to be only visible to project members: ### Allow any project to access your project > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. WARNING: It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise a pipeline created in an unauthorized project. If the pipeline was created by one of your maintainers, the job token could be used in an attempt to access your project. -If you disable the **Limit access _to_ this project** setting, the allowlist is ignored. +If you disable the **Grant access to this project** setting, the allowlist is ignored. Jobs from any project could access your project with a job token if the user that triggers the pipeline has permission to access your project. @@ -169,7 +171,7 @@ To disable the job token scope allowlist: 1. On the left sidebar, select **Search or go to** and find your project. 1. Select **Settings > CI/CD**. 1. Expand **Token Access**. -1. Toggle **Limit access _to_ this project** to disabled. +1. Toggle **Grant access to this project** to disabled. Enabled by default in new projects. You can also enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`inboundJobTokenScopeEnabled`) and [REST](../../api/project_job_token_scopes.md#patch-a-projects-cicd-job-token-access-settings) API. @@ -191,7 +193,7 @@ proposes to change this behavior. NOTE: The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated) setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084) -in GitLab 17.0. Project maintainers or owners should configure the [**Limit access _to_ this project**](#add-a-group-or-project-to-the-job-token-allowlist) +in GitLab 18.0. Project maintainers or owners should configure the [**Grant access to this project**](#add-a-group-or-project-to-the-job-token-allowlist) setting instead. Control your project's job token scope by creating an allowlist of projects which diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 190d895e8d2a2d..fc69561ef4efb0 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -174,6 +174,8 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. +In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. +
@@ -2907,6 +2909,8 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. +In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. +
diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 8e0f199f08d43d..4957825f0c1edc 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -9838,6 +9838,9 @@ msgstr "" msgid "CICD|Enable feature to limit job token access to the following projects." msgstr "" +msgid "CICD|Grant access to this project" +msgstr "" + msgid "CICD|Groups and projects with access" msgstr "" @@ -9850,9 +9853,6 @@ msgstr "" msgid "CICD|Limit access %{italicStart}from%{italicEnd} this project (Deprecated)" msgstr "" -msgid "CICD|Limit access %{italicStart}to%{italicEnd} this project" -msgstr "" - msgid "CICD|Maintainer" msgstr "" @@ -9865,7 +9865,7 @@ msgstr "" msgid "CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}." msgstr "" -msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}" +msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Grant access to this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}" msgstr "" msgid "CICD|The Auto DevOps pipeline runs by default in all projects with no CI/CD configuration file. %{link_start}What is Auto DevOps?%{link_end}" -- GitLab From e6a4e12b2ddc4a03a9197201af45e4313028b43a Mon Sep 17 00:00:00 2001 From: Miranda Fluharty Date: Mon, 13 May 2024 12:42:11 -0600 Subject: [PATCH 2/4] Update milestone to 17.1 --- data/deprecations/15-9-insecure-ci-job-token.yml | 2 +- data/deprecations/16-5-ci-job-token-limit-setting.yml | 2 +- doc/api/project_job_token_scopes.md | 2 +- doc/ci/debugging.md | 2 +- doc/ci/jobs/ci_job_token.md | 4 ++-- doc/update/deprecations.md | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data/deprecations/15-9-insecure-ci-job-token.yml b/data/deprecations/15-9-insecure-ci-job-token.yml index 38bcfc1059f73c..705d508c16bb28 100644 --- a/data/deprecations/15-9-insecure-ci-job-token.yml +++ b/data/deprecations/15-9-insecure-ci-job-token.yml @@ -21,7 +21,7 @@ In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. - In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. + In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. # # OPTIONAL END OF SUPPORT FIELDS # diff --git a/data/deprecations/16-5-ci-job-token-limit-setting.yml b/data/deprecations/16-5-ci-job-token-limit-setting.yml index bc00539776917e..014ea9e4a01915 100644 --- a/data/deprecations/16-5-ci-job-token-limit-setting.yml +++ b/data/deprecations/16-5-ci-job-token-limit-setting.yml @@ -21,7 +21,7 @@ In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. - In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. + In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. # # OPTIONAL END OF SUPPORT FIELDS # diff --git a/doc/api/project_job_token_scopes.md b/doc/api/project_job_token_scopes.md index e1cb5bec651a9c..c5f6a9330bc488 100644 --- a/doc/api/project_job_token_scopes.md +++ b/doc/api/project_job_token_scopes.md @@ -55,7 +55,7 @@ Example response: ## Patch a project's CI/CD job token access settings > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. -> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1. Patch the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project. diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md index a0a1e25663d9f5..32f03c37a364f6 100644 --- a/doc/ci/debugging.md +++ b/doc/ci/debugging.md @@ -433,7 +433,7 @@ Ensure that included configuration files do not create a loop of references to e ### `Failed to pull image` messages > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. -> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1. A runner might return a `Failed to pull image` message when trying to pull a container image in a CI/CD job. diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 8ee244dff47371..ec1cf2b967434c 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -88,7 +88,7 @@ with a job token from any project. These resources can also be [limited to only > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10. > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. > - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. -> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1. You can add groups or projects to your job token allowlist to allow access your project's resources with a job token for authentication. By default, the allowlist of any project only includes itself. @@ -148,7 +148,7 @@ To set a feature to be only visible to project members: ### Allow any project to access your project > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. -> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0. +> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1. WARNING: It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index fc69561ef4efb0..f5a11047b0b4ab 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -174,7 +174,7 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. -In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. +In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
@@ -2909,7 +2909,7 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**. -In 17.0, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. +In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**. -- GitLab From b6ad0526d67f9946058202923cc718c9fefaf5f5 Mon Sep 17 00:00:00 2001 From: Miranda Fluharty Date: Mon, 13 May 2024 16:37:12 -0600 Subject: [PATCH 3/4] Update wording to "Job token permissions" --- .../components/inbound_token_access.vue | 12 ++++++---- .../components/outbound_token_access.vue | 2 +- .../projects/settings/ci_cd/show.html.haml | 4 ++-- locale/gitlab.pot | 23 +++++++++++-------- 4 files changed, 24 insertions(+), 17 deletions(-) diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue index 72327b0b4efa5b..6a2688fc83df35 100644 --- a/app/assets/javascripts/token_access/components/inbound_token_access.vue +++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue @@ -24,11 +24,14 @@ import TokenAccessTable from './token_access_table.vue'; export default { i18n: { - toggleLabelTitle: s__('CICD|Grant access to this project'), + toggleLabelTitle: s__('CICD|Allow CI/CD job token access'), toggleDescription: s__( - `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`, + `CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}.`, + ), + cardHeaderTitle: s__('CICD|Authorized groups and projects'), + cardHeaderDescription: s__( + `CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`, ), - cardHeaderTitle: s__('CICD|Groups and projects with access'), settingDisabledMessage: s__( 'CICD|No access is currently allowed to this project. Enable feature to authorize access from groups or projects in the allowlist below.', ), @@ -258,7 +261,7 @@ export default {
diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue index e7214f54fa9aef..dabfc799b8af66 100644 --- a/app/assets/javascripts/token_access/components/outbound_token_access.vue +++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue @@ -39,7 +39,7 @@ export default { projectsFetchError: __('There was a problem fetching the projects'), scopeFetchError: __('There was a problem fetching the job token scope value'), outboundTokenAlertDeprecationMessage: s__( - `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Grant access to this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`, + `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`, ), disableToggleWarning: s__('CICD|Disabling this feature is a permanent change.'), }, diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml index 290756e5aad2c0..322d958763d395 100644 --- a/app/views/projects/settings/ci_cd/show.html.haml +++ b/app/views/projects/settings/ci_cd/show.html.haml @@ -103,11 +103,11 @@ %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) } .settings-header %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only - = _("Token Access") + = _("Job token permissions") = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do = expanded ? _('Collapse') : _('Expand') %p.gl-text-secondary - = _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.") + = _("Control whether CI/CD job tokens can be used to authenticate with this project.") .settings-content = render 'ci/token_access/index' diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 4957825f0c1edc..a0c2070a9ed42f 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -9805,7 +9805,10 @@ msgstr "" msgid "CICD|Add an existing project to the scope" msgstr "" -msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}." +msgid "CICD|Allow CI/CD job token access" +msgstr "" + +msgid "CICD|Authorized groups and projects" msgstr "" msgid "CICD|Auto DevOps" @@ -9838,10 +9841,7 @@ msgstr "" msgid "CICD|Enable feature to limit job token access to the following projects." msgstr "" -msgid "CICD|Grant access to this project" -msgstr "" - -msgid "CICD|Groups and projects with access" +msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist." msgstr "" msgid "CICD|Jobs" @@ -9865,7 +9865,7 @@ msgstr "" msgid "CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}." msgstr "" -msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Grant access to this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}" +msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}" msgstr "" msgid "CICD|The Auto DevOps pipeline runs by default in all projects with no CI/CD configuration file. %{link_start}What is Auto DevOps?%{link_end}" @@ -9883,6 +9883,9 @@ msgstr "" msgid "CICD|Use separate caches for protected branches" msgstr "" +msgid "CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}." +msgstr "" + msgid "CICD|group enabled" msgstr "" @@ -14596,7 +14599,7 @@ msgstr "" msgid "Contributor analytics" msgstr "" -msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects." +msgid "Control whether CI/CD job tokens can be used to authenticate with this project." msgstr "" msgid "Control whether to display customer experience improvement content and third-party offers in GitLab." @@ -29250,6 +29253,9 @@ msgstr "" msgid "Job logs and artifacts" msgstr "" +msgid "Job token permissions" +msgstr "" + msgid "Job was retried" msgstr "" @@ -54296,9 +54302,6 @@ msgstr "" msgid "Token" msgstr "" -msgid "Token Access" -msgstr "" - msgid "Token name" msgstr "" -- GitLab From 1820083d70b8f65b2a4bf7b8254d5df456a2df36 Mon Sep 17 00:00:00 2001 From: Miranda Fluharty Date: Tue, 14 May 2024 12:08:34 -0600 Subject: [PATCH 4/4] Wrap card header secondary text responsively On md+ viewports, wrap text before it reaches the button On smaller viewports, make the text full width and wrap the button below the rest of the text --- .../components/inbound_token_access.vue | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue index 6a2688fc83df35..5e462754f345e6 100644 --- a/app/assets/javascripts/token_access/components/inbound_token_access.vue +++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue @@ -261,22 +261,25 @@ export default {
-- GitLab