Merge branch 'trizzi-master-patch-b559' into 'master'

Deprecation: dependency proxy group access token See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138566 Merged-by: Amy Qualls <aqualls@gitlab.com> Approved-by: Amy Qualls <aqualls@gitlab.com> Reviewed-by: Radamanthus Batnag <rbatnag@gitlab.com> Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com> Co-authored-by: Tim Rizzi <trizzi@gitlab.com>

Merge branch 'trizzi-master-patch-b559' into 'master'
47dfe395 · Amy Qualls · a5d59e81 · ca7ae94e · 47dfe395 · 47dfe395
Commit 47dfe395 authored 1 year ago by Amy Qualls
--- a/data/deprecations/16-7-dependency-proxy-group-deploy-token.yml
+++ b/data/deprecations/16-7-dependency-proxy-group-deploy-token.yml
+- title: "Dependency Proxy: group access tokens to have additional scope checks for service accounts"
+  announcement_milestone: "16.7"
+  removal_milestone: "17.0"
+  breaking_change: true
+  reporter: trizzi
+  stage: Package
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/431386
+  body: |
+    When using the Dependency Proxy for containers with a group access token, `docker login` and `docker pull` requests with insufficient scopes for Dependency Proxy are not rejected.
+
+    GitLab 16.7 adds checks for group access tokens authenticating for the dependency proxy for containers. This is a breaking change, because tokens without the required scopes will fail.
+
+    To help avoid being impacted by this breaking change, create new group access tokens with the [required scopes](https://docs.gitlab.com/ee/user/packages/dependency_proxy/#authenticate-with-the-dependency-proxy), and update your workflow variables and scripts with those new tokens.
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -315,6 +315,24 @@ In 16.3, the names of these settings were changed to clarify their meanings: the
  
 </div>
  
+<div class="deprecation breaking-change" data-milestone="17.0">
+
+### Dependency Proxy: group access tokens to have additional scope checks for service accounts
+
+<div class="deprecation-notes">
+- Announced in GitLab <span class="milestone">16.7</span>
+- Removal in GitLab <span class="milestone">17.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/431386).
+</div>
+
+When using the Dependency Proxy for containers with a group access token, `docker login` and `docker pull` requests with insufficient scopes for Dependency Proxy are not rejected.
+
+GitLab 16.7 adds checks for group access tokens authenticating for the dependency proxy for containers. This is a breaking change, because tokens without the required scopes will fail.
+
+To help avoid being impacted by this breaking change, create new group access tokens with the [required scopes](https://docs.gitlab.com/ee/user/packages/dependency_proxy/#authenticate-with-the-dependency-proxy), and update your workflow variables and scripts with those new tokens.
+
+</div>
+
 <div class="deprecation " data-milestone="17.0">
  
 ### Deprecate GraphQL fields related to the temporary storage increase