Token prefixes: Runner Authentication Tokens (!206149) · Merge requests · GitLab.org / GitLab

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

Adds support for instance wide token prefixes for runner authentication tokens.

Instance wide token prefix have been added with !179852 (merged)

The new prefix format is: #{instance_prefix}#{token_type_prefix}. E.g. for runner authentication tokens, we'd get: #{instance_prefix}glrt-. By default, the prefix is empty. However, we can now customize the instance prefix to create a new prefix: mycompanyname-glrt-.

With this custom prefix, it is easier to identify leaked tokens, because we can now skip all leaked tokens that start with glrt. Now, we only need to look at tokens starting with mycompanyname-glrt-.

🛠️ with ❤️ at Siemens

References

Issue: #388379

How to set up and validate locally

Enable feature flag via rails c:

Feature.enable(:custom_prefix_for_all_token_types)

Create a new runner. You should now see a token without an instance wide prefix.
Now, change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix
When you create another runner, you should now see that the prefix starts with mycustomprefix- before glrt.
When you have a look at the list of runners, you should see that short_sha does not include the mycustomprefix-glrt part.

MR acceptance checklist

MR Checklist ( @nwittstruck)

Related to #388379

Edited Oct 01, 2025 by Nicholas Wittstruck

Token prefixes: Runner Authentication Tokens

What does this MR do and why?

References

How to set up and validate locally

MR acceptance checklist

Merge request reports