Workspaces ADR 007: Create workspaces from private projects

Context

We want users to be able to create a workspace from private projects.

Decision

We will create Personal Access Token(PAT) associated to the user for each new workspace and inject it into the workspace. This token will be used to clone the project as the workspace starts. This token will be used for all git operations that the user performs while using the workspace.

More details can be found here.

Consequences

The token will available within the workspace as an environment variable/file. This can result in token exfiltration if an unstrusted container image is used.

This is acceptable for now because users are expected to provision workspaces from projects they trust, like CI jobs.

Alternatives

We considered using ephemeral tokens(JWTs/OAuth/OIDC/etc.) instead of PAT but each came with its own set of challenges. This revealed the larger need to have a some standardized authentication and authorization between internal services and GitLab Rails monolith.

Last modified March 20, 2025: Refactor Workspaces Architecture Design Document into an ADR format (0504bdf1)
View page source - Edit this page - please contribute. Creative Commons License