CI/CD Job Token Format change in 19.0

GitLab CI/CD
1

Problem to solve

I’m looking to prepare our self-hosted CE instance of gitlab (thousands of users) for future upgrades, including the upcoming CI/CD Job Token Format change to JWT.

Specifically:

  • What is supposed to happen with 19.0? Will all existing top-level groups switch to JWT format enabled during an upgrade? Can users proactively opt-out before the upgrade, or must they opt-out (again) after the upgrade to >19.0?

  • Are new top-level groups enabled now with the new JWT format (since 17.10)? Some tests on our current version (17.11, planning an upgrade to 18.1 soon) seem to suggest this is the case.

  • How can I track programmatically who is using the new format (who opted-in prior to us being on version 19.0+)? I heard there was no plan to offer any new API features to interact with this.

  • Will the switch in 19.0 mean all DB values for the new format will be toggled false=>true (and empty ones added as true)? Or will there be a way to track a 3rd state of “explicitly disabled” vs implicitly disabled (not opted in prior to 19.0)?

  • I read that this was implemented as a “Feature flag”, which some docs implied I could see this via the gitlab-rails console command, e.g via a command like:
    irb(main):001:0> Feature.enabled?(:ci_job_token_jwt, Group.find(7680))
    but that doesn’t seem to match what I’d expect (always returns false, despite the toggle state in the UI). Am I looking in the right place?

Has there been any traction towards enabling this at a sub-group or project level, or is the plan still for top-level groups only?

All this comes down to how shall I prepare my users, and track that they are prepared, so that no one will be forced into the new format and discover a problem weeks after the upgrade (or other change), without having a means to opt-out until they make the necessary correction?

It could be this has evolved since the earlier plan to switch to default on (opt-out? or just for new groups?) 18.0 and then phase out the old format completely (remove opt-out) by 18.3. But the docs don’t completely match coherently (e.g. Deprecations and removals by version | GitLab Docs states “Removal in GitLab 19.0” but later contradicts this to be (effectively) “opt-out in 19.0, removal in 20.0”.

Thanks.


Jeff

3

In addition, there seems to still be various places that the old schedule of opt-out by 18.0 and removal by 18.3 are still announced. This includes next to the toggle itself on a omnibus gitlab-ce 18.1.1 install:

Unless manually disabled, this setting will be automatically enabled in GitLab 18.0. This setting is scheduled to be removed in GitLab 18.3, and the JWT format will be used by all job tokens. [Learn more.]