We are thrilled to announce that we upgraded Helmholtz Codebase to GitLab v18.0 on June 5th, 2025. Please read about the latest new features and also relevant removals in the changelog. As you can see there, one of the new beta-features in GitLab are “granular permissions for job tokens”. These fine-grained permissions for CI/CD job tokens precisely control access to specific resources in a project via these job tokens.
Major Version Releases also come with Deprecations and Removals
TLDR: The breaking changes of GitLab v18 have impact on the CI/CD Job Token permissions. Previously, it was possible that projects can access other non-public projects without granting permissions explicitly. This is no longer possible, and now each project has an allowlist to control access from other projects. Please read more about these removals on the following pages:
- CI/CD job token - Authorized groups and projects allowlist enforcement
- CI/CD job token - Limit access from your project setting removal
Why is this important?
You might need to grant access to a project to use resources like non-public projects via Git submodules, non-public container images from the Codebase container registry, or other access-controlled resources in a GitLab CI/CD pipeline. Job tokens are used in CI/CD pipelines to authenticate as an eligible user and with these job tokens users are usually only permitted to access one particular GitLab project for which the CI/CD pipeline is defined. In order to grant job tokens the right permissions to be able to access other non-public projects there are CI/CD job token allowlists in those other projects. That means, we add a project A to the CI/CD job token allowlist of project B to allow project A to access project B.
How to add a group or project to the CI/CD job token allowlist?
These CI/CD job token allowlists can be found in the project settings:
Settings > CI/CD > Job token permissions > CI/CD job token allowlist
To grant access to another group (including its subgroups and projects) or another project, add it to the CI/CD job token allowlist using the “Add” button as shown in the screenshot.
Summary
GitLab comes with a CI/CD job token allowlist in the project settings. In version 18 this CI/CD job token allowlist needs to be used if you would like to allow other projects to be able to access the non-public project from CI/CD pipelines in other projects.