Policy for use of Personal Access Tokens (PATs) and other automation

GitLab provides Personal Access Tokens which are an alternative to session-based authentication for users to interact with GitLab. 

They can be used to authenticate with the GitLab API, or as limited scope tokens for Git HTTP authentication. 

Use of PATs empowers users to use or create tools for programmatically interacting with Merge Requests, Search, the REST API, GitLab Events, etc. 

Because GitLab has limited capacity to configure user roles and permissions, the Drupal Association has blocked access to certain url paths and APIs for functionality we do not want to grant to users at large. 

Policy for use of PATs

PATs can be used to perform any individual action that a user could already perform with a regular authenticated session on git.drupalcode.org.

PATs cannot be used to create automation/bots without prior approval from the Drupal Association engineering team. 

Because there are still some areas of the API that we cannot appropriately restrict through the role and permission options available in GitLab, we are opening specific API endpoints for use with PATs upon request. (Block by default). 

To request that a new API be opened for use with PATs, open an issue in the Infrastructure project and tag it with 'gitlab api'. 

General automation policies

See our policy page: Use of Automation Tools, including AI