Merge branch '415519-add-groups-to-ci-job-token-allowlist-5' into 'master'

Adjust project settings CI_JOB_TOKEN section wording

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156989



Merged-by: Frédéric Caplette <fcaplette@gitlab.com>
Approved-by: Paul Slaughter <pslaughter@gitlab.com>
Approved-by: Daniel Tian <dtian@gitlab.com>
Approved-by: Artur Fedorov <afedorov@gitlab.com>
Approved-by: Frédéric Caplette <fcaplette@gitlab.com>
Reviewed-by: Miranda Fluharty <mfluharty@gitlab.com>
Reviewed-by: Marcel Amirault <mamirault@gitlab.com>
Co-authored-by: Miranda Fluharty <mfluharty@gitlab.com>

app/assets/javascripts/token_access/components/inbound_token_access.vue

@@ -29,9 +29,12 @@ export default {
   i18n: {
     toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
     toggleDescription: s__(
-      `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`,
+      `CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}.`,
+    ),
+    cardHeaderTitle: s__('CICD|Authorized groups and projects'),
+    cardHeaderDescription: s__(
+      `CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`,
     ),
-    cardHeaderTitle: s__('CICD|Groups and projects with access'),
     settingDisabledMessage: s__(
       'CICD|Access unrestricted, so users with sufficient permissions in this project can authenticate with a job token generated in any other project. Enable this setting to restrict authentication to only job tokens generated in the groups and projects in the allowlist below.',
     ),
@@ -284,7 +287,7 @@ export default {
       <div>
         <gl-card
           class="gl-new-card"
-          header-class="gl-new-card-header gl-border-bottom-0"
+          header-class="gl-new-card-header gl-border-bottom-0 gl-flex-wrap gl-md-flex-nowrap"
           body-class="gl-new-card-body gl-px-0"
         >
           <template #header>
@@ -310,8 +313,9 @@ export default {
                   {{ projectCount }}
                 </span>
               </div>
+              <p class="gl-text-secondary">{{ $options.i18n.cardHeaderDescription }}</p>
             </div>
-            <div class="gl-new-card-actions">
+            <div class="gl-new-card-actions gl-w-full gl-md-w-auto gl-text-right">
               <gl-button
                 v-if="!isAddFormVisible"
                 size="small"

app/assets/javascripts/token_access/components/outbound_token_access.vue

@@ -21,7 +21,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q
 import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql';
 import TokenAccessTable from './token_access_table.vue';
 
-// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
+// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated
 export default {
   i18n: {
     toggleLabelTitle: s__(

app/views/projects/settings/ci_cd/show.html.haml

@@ -105,11 +105,11 @@
   %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
     .settings-header
       %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
-        = _("Token Access")
+        = _("Job token permissions")
       = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
         = expanded ? _('Collapse') : _('Expand')
       %p.gl-text-secondary
-        = _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.")
+        = _("Control whether CI/CD job tokens can be used to authenticate with this project.")
     .settings-content
       = render 'ci/token_access/index'
 

doc/ci/jobs/ci_job_token.md

@@ -88,6 +88,7 @@ with a job token from any project. These resources can also be [limited to only
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10.
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
 > - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 You can add groups or projects to your job token allowlist to allow access your project's resources
 with a job token for authentication. By default, the allowlist of any project only includes itself.
@@ -112,7 +113,7 @@ To add a group or project to the allowlist:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects.
    It is a security risk to disable this feature, so project maintainers or owners should
    keep this setting enabled at all times.
@@ -151,6 +152,7 @@ To set a feature to be only visible to project members:
 ### Allow any project to access your project
 
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 WARNING:
 It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise
@@ -172,7 +174,7 @@ To disable the job token scope allowlist:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Toggle **Limit access _to_ this project** to disabled.
    Enabled by default in new projects.
 
@@ -230,6 +232,7 @@ to make an API request to project `B`, then `B` must be added to the allowlist f
 ### Configure the job token scope (deprecated)
 
 > - **Limit CI_JOB_TOKEN access** setting [renamed to **Limit access _from_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+> - **Token Access** setting [renamed to **Job token permissions**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.2.
 
 Prerequisites:
 
@@ -239,7 +242,7 @@ To configure the job token scope:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
-1. Expand **Token Access**.
+1. Expand **Job token permissions**.
 1. Toggle **Limit access _from_ this project** to enabled.
 1. Optional. Add existing projects to the token's access scope. The user adding a
    project must have the Maintainer role in both projects.

lib/search/settings.rb

@@ -58,7 +58,7 @@ def project_ci_cd_settings(project)
           href: project_settings_ci_cd_path(project, anchor: 'js-pipeline-triggers') },
         { text: _("Deploy freezes"),
           href: project_settings_ci_cd_path(project, anchor: 'js-deploy-freeze-settings') },
-        { text: _("Token Access"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
+        { text: _("Job token permissions"), href: project_settings_ci_cd_path(project, anchor: 'js-token-access') },
         { text: _("Secure Files"),
           href: project_settings_ci_cd_path(project, anchor: 'js-secure-files') }
       ]

locale/gitlab.pot

@@ -10069,7 +10069,7 @@ msgstr ""
 msgid "CICD|Add an existing project to the scope"
 msgstr ""
-msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
+msgid "CICD|Authorized groups and projects"
 msgstr ""
 msgid "CICD|Auto DevOps"
@@ -10102,7 +10102,7 @@ msgstr ""
 msgid "CICD|Enable feature to limit job token access to the following projects."
 msgstr ""
-msgid "CICD|Groups and projects with access"
+msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist."
 msgstr ""
 msgid "CICD|Jobs"
@@ -10147,6 +10147,9 @@ msgstr ""
 msgid "CICD|Use separate caches for protected branches"
 msgstr ""
+msgid "CICD|When enabled, only groups and projects in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. When disabled, any group or project can do so. %{linkStart}Learn more%{linkEnd}."
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
@@ -14944,7 +14947,7 @@ msgstr ""
 msgid "Contributor analytics"
 msgstr ""
-msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects."
+msgid "Control whether CI/CD job tokens can be used to authenticate with this project."
 msgstr ""
 msgid "Control whether to display customer experience improvement content and third-party offers in GitLab."
@@ -29664,6 +29667,9 @@ msgstr ""
 msgid "Job logs and artifacts"
 msgstr ""
+msgid "Job token permissions"
+msgstr ""
+
 msgid "Job was retried"
 msgstr ""
@@ -55331,9 +55337,6 @@ msgstr ""
 msgid "Token"
 msgstr ""
-msgid "Token Access"
-msgstr ""
-
 msgid "Token name"
 msgstr ""