Gitlab Access Token by project?

[Blarc]

Currently, we support setting Gitlab's Personal Access Token for each Gitlab URL. This improves user experience, because user only needs to set the token once for each Gitlab URL (or Gitlab instance).

Should we support adding Gitlab Access Token by project?

• This would allow better security by creating project access tokens instead of personal access tokens which can be used to access all projects.
• It would be more cumbersome for user, because he would need to set the project access token for each new project repository.

One solution would also be to set a token for any url and then find longest matching url for each repository. This would allow user to set a Group Access Token and also Project Access Token only for specific repositories.

[zartc]

I wonder how many people use project or group access tokens (moreover, knowing that they are disabled by default) ? Isn't acces permission to a given project or group governed by the project's or group's visibility and member list?

what I mean is that even if I configure my tools with a valid PAT it will not gives it the right to access projects or groups that are not accessible by human me, isn't it?

[Blarc]

That's correct, but someone might not want to give an access token to a plugin, that can access sensitive or GDPR data (from the repository). We have a similar case at my firm with our dependabot, where each project needs to set up the dependabot using its own project access token.

[Weissger]

I would be such a candidate.

[Blarc]

Hey @Weissger. I am just curious what is the reason? Is it just what I already mentioned or something else?