gitlab-token-scope-adjuster
CLI tool for automatically adjusting CI_JOB_TOKEN access scope based on project dependencies in GitLab.
MIT License
GitLab CI Job Token Scope Adjuster
This CLI tool helps automate the process of configuring CI job token scopes in GitLab projects.
Starting from GitLab 16, it is mandatory to explicitly configure CI_JOB_TOKEN access, and this tool simplifies that by
automating the necessary API calls.
How it works?
- Fetches project details from GitLab.
- Identifies dependency files (
go.mod,composer.json,package-lock.json) in the repository. - Extracts dependencies from these files.
- Configures CI job token scopes to whitelist the source project in dependency projects.
graph LR
A[gitlab-token-scope-adjuster -p 1234] --> B[Fetch Project Details]
B --> C[Identify Dependency Files]
C --> D[Process Each Dependency File]
D --> E[Extract Dependencies]
E --> F[Whitelist project CI_JOB_TOKEN in the Dependency Project]
Prerequisites
- Node.js (>= 22.x)
- ts-node
- GitLab access token with the necessary permissions
Installation
Install @shini4i/gitlab-token-scope-adjuster package:
npm install -g @shini4i/gitlab-token-scope-adjuster
Usage
Expose the following environment variables:
export GITLAB_URL=https://gitlab.example.com
export GITLAB_TOKEN=your_access_token
And run the following command:
gitlab-token-scope-adjuster -p <your_project_id>
To find dependency files recursively run the following command:
gitlab-token-scope-adjuster -p <your_project_id> --monorepo
Keep in mind that depending on the amount of files in the repo it can significantly increase execution time.
Additionally, before making changes, it is possible to check which dependency projects would be edited by passing --dry-run flag.
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
