Fine-grained permissions for CI/CD job tokens
Tier: Free, Premium, Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated Status: Experiment
Available API endpoints
The following endpoints are available for CI/CD job tokens. You can use fine-grained permissions to explicitly allow access to a limited set of the following API endpoints.
None means fine-grained permissions cannot control access to this endpoint.
| Permissions | Permission Names | Path | Description |
|---|---|---|---|
| Deployments: Read and write | ADMIN_DEPLOYMENTS |
DELETE /projects/:id/deployments/:deployment_id |
Delete a specific deployment |
| Deployments: Read and write | ADMIN_DEPLOYMENTS |
POST /projects/:id/deployments/:deployment_id/approval |
Approve or reject a blocked deployment |
| Deployments: Read and write | ADMIN_DEPLOYMENTS |
PUT /projects/:id/deployments/:deployment_id |
Update a deployment |
| Deployments: Read and write, Environments: Read and write |
ADMIN_DEPLOYMENTS, ADMIN_ENVIRONMENTS
|
POST /projects/:id/deployments |
Create a deployment |
| Deployments: Read | READ_DEPLOYMENTS |
GET /projects/:id/deployments/:deployment_id/merge_requests |
List of merge requests associated with a deployment |
| Deployments: Read | READ_DEPLOYMENTS |
GET /projects/:id/deployments/:deployment_id |
Get a specific deployment |
| Deployments: Read | READ_DEPLOYMENTS |
GET /projects/:id/deployments |
List project deployments |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
DELETE /projects/:id/environments/:environment_id |
Delete an environment |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
DELETE /projects/:id/environments/review_apps |
Delete multiple stopped review apps |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
POST /projects/:id/environments/:environment_id/stop |
Stop an environment |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
POST /projects/:id/environments/stop_stale |
Stop stale environments |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
POST /projects/:id/environments |
Create a new environment |
| Environments: Read and write | ADMIN_ENVIRONMENTS |
PUT /projects/:id/environments/:environment_id |
Update an existing environment |
| Environments: Read | READ_ENVIRONMENTS |
GET /projects/:id/environments/:environment_id |
Get a specific environment |
| Environments: Read | READ_ENVIRONMENTS |
GET /projects/:id/environments |
List environments |
| Jobs: Read and write | ADMIN_JOBS |
PUT /projects/:id/pipelines/:pipeline_id/metadata |
Updates pipeline metadata |
| Jobs: Read | READ_JOBS |
GET /jobs/:id/artifacts |
Download the artifacts file for job |
| Jobs: Read | READ_JOBS |
GET /projects/:id/jobs/:job_id/artifacts/*artifact_path |
Download a specific file from artifacts archive |
| Jobs: Read | READ_JOBS |
GET /projects/:id/jobs/:job_id/artifacts |
Download the artifacts archive from a job |
| Jobs: Read | READ_JOBS |
GET /projects/:id/jobs/artifacts/:ref_name/download |
Download the artifacts archive from a job |
| Jobs: Read | READ_JOBS |
GET /projects/:id/jobs/artifacts/:ref_name/raw/*artifact_path |
Download a specific file from artifacts archive from a ref |
| None | DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name |
Delete repository tag | |
| None | DELETE /projects/:id/registry/repositories/:repository_id/tags |
Delete repository tags (in bulk) | |
| None | DELETE /projects/:id/registry/repositories/:repository_id |
Delete repository | |
| None | GET /group/:id/-/packages/composer/*package_name |
Composer packages endpoint at group level for package versions metadata | |
| None | GET /group/:id/-/packages/composer/p/:sha |
Composer packages endpoint at group level for packages list | |
| None | GET /group/:id/-/packages/composer/p2/*package_name |
Composer v2 packages p2 endpoint at group level for package versions metadata | |
| None | GET /group/:id/-/packages/composer/packages |
Composer packages endpoint at group level | |
| None | GET /groups/:id/-/packages/pypi/simple/*package_name |
The PyPi Simple Group Package Endpoint | |
| None | GET /groups/:id/-/packages/pypi/simple |
The PyPi Simple Group Index Endpoint | |
| None | GET /job/allowed_agents |
Get current agents | |
| None | GET /job |
Get current job using job token | |
| None | GET /packages/conan/v1/conans/search |
Search for packages | |
| None | GET /packages/conan/v1/ping |
Ping the Conan API | |
| None | GET /packages/conan/v1/users/authenticate |
Authenticate user against conan CLI | |
| None | GET /packages/conan/v1/users/check_credentials |
Check for valid user credentials per conan CLI | |
| None | GET /projects/:id/packages/conan/v1/conans/search |
Search for packages | |
| None | GET /projects/:id/packages/conan/v1/ping |
Ping the Conan API | |
| None | GET /projects/:id/packages/conan/v1/users/authenticate |
Authenticate user against conan CLI | |
| None | GET /projects/:id/packages/conan/v1/users/check_credentials |
Check for valid user credentials per conan CLI | |
| None | GET /projects/:id/packages/conan/v2/conans/search |
Search for packages | |
| None | GET /projects/:id/packages/conan/v2/users/check_credentials |
Check for valid user credentials per conan CLI | |
| None | GET /projects/:id/registry/repositories/:repository_id/tags/:tag_name |
Get details about a repository tag | |
| None | GET /projects/:id/registry/repositories/:repository_id/tags |
List tags of a repository | |
| None | GET /projects/:id/registry/repositories |
List container repositories within a project | |
| None | POST /internal/dast/site_validations/:id/transition |
Transitions a DAST site validation to a new state. | |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /groups/:id/-/packages/npm/-/package/*package_name/dist-tags/:tag |
Deletes the given tag |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel |
Delete Package |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /packages/npm/-/package/*package_name/dist-tags/:tag |
Deletes the given tag |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /projects/:id/packages/:package_id/package_files/:package_file_id |
Delete a package file |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /projects/:id/packages/:package_id |
Delete a project package |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel |
Delete Package |
| Packages: Read and write | ADMIN_PACKAGES |
DELETE /projects/:id/packages/npm/-/package/*package_name/dist-tags/:tag |
Deletes the given tag |
| Packages: Read and write | ADMIN_PACKAGES |
POST /projects/:id/packages/composer |
Composer packages endpoint for registering packages |
| Packages: Read and write | ADMIN_PACKAGES |
POST /projects/:id/packages/pypi/authorize |
Authorize the PyPi package upload from workhorse |
| Packages: Read and write | ADMIN_PACKAGES |
POST /projects/:id/packages/pypi |
The PyPi Package upload endpoint |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /groups/:id/-/packages/npm/-/package/*package_name/dist-tags/:tag |
Create or Update the given tag for the given NPM package and version |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name/authorize |
Workhorse authorize the conan recipe file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name |
Upload recipe package files |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name/authorize |
Workhorse authorize the conan package file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name |
Upload package files |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /packages/npm/-/package/*package_name/dist-tags/:tag |
Create or Update the given tag for the given NPM package and version |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name/authorize |
Workhorse authorize the conan recipe file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name |
Upload recipe package files |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name/authorize |
Workhorse authorize the conan package file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name |
Upload package files |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/generic/:package_name/*package_version/(*path/):file_name/authorize |
Workhorse authorize generic package file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/generic/:package_name/*package_version/(*path/):file_name |
Upload package file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/maven/*path/:file_name/authorize |
Workhorse authorize the maven package file upload |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/maven/*path/:file_name |
Upload the maven package file |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/npm/-/package/*package_name/dist-tags/:tag |
Create or Update the given tag for the given NPM package and version |
| Packages: Read and write | ADMIN_PACKAGES |
PUT /projects/:id/packages/npm/:package_name |
Create or deprecate NPM package |
| Packages: Read | READ_PACKAGES |
GET /groups/:id/-/packages/maven/*path/:file_name |
Download the maven package file at a group level |
| Packages: Read | READ_PACKAGES |
GET /groups/:id/-/packages/npm/*package_name |
NPM registry metadata endpoint |
| Packages: Read | READ_PACKAGES |
GET /groups/:id/-/packages/npm/-/package/*package_name/dist-tags |
Get all tags for a given an NPM package |
| Packages: Read | READ_PACKAGES |
GET /groups/:id/-/packages/pypi/files/:sha256/*file_identifier |
Download a package file from a group |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/digest |
Recipe Digest |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/download_urls |
Recipe Download Urls |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/digest |
Package Digest |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/download_urls |
Package Download Urls |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference |
Package Snapshot |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel |
Recipe Snapshot |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name |
Download recipe files |
| Packages: Read | READ_PACKAGES |
GET /packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name |
Download package files |
| Packages: Read | READ_PACKAGES |
GET /packages/maven/*path/:file_name |
Download the maven package file at instance level |
| Packages: Read | READ_PACKAGES |
GET /packages/npm/*package_name |
NPM registry metadata endpoint |
| Packages: Read | READ_PACKAGES |
GET /packages/npm/-/package/*package_name/dist-tags |
Get all tags for a given an NPM package |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/:package_id/package_files |
List package files |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/:package_id/pipelines |
Get the pipelines for a single project package |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/:package_id |
Get a single project package |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/composer/archives/*package_name |
Composer package endpoint to download a package archive |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/digest |
Recipe Digest |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/download_urls |
Recipe Download Urls |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/digest |
Package Digest |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/download_urls |
Package Download Urls |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference |
Package Snapshot |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel |
Recipe Snapshot |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name |
Download recipe files |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name |
Download package files |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/conan/v2/conans/:package_name/:package_version/:package_username/:package_channel/revisions/:recipe_revision/files/:file_name |
Download recipe files |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/generic/:package_name/*package_version/(*path/):file_name |
Download package file |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/go/*module_name/@v/:module_version.info |
Version metadata |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/go/*module_name/@v/:module_version.mod |
Download module file |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/go/*module_name/@v/:module_version.zip |
Download module source |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/go/*module_name/@v/list |
List |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/maven/*path/:file_name |
Download the maven package file at a project level |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/npm/*package_name/-/*file_name |
Download the NPM tarball |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/npm/*package_name |
NPM registry metadata endpoint |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/npm/-/package/*package_name/dist-tags |
Get all tags for a given an NPM package |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/pypi/files/:sha256/*file_identifier |
The PyPi package download endpoint |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/pypi/simple/*package_name |
The PyPi Simple Project Package Endpoint |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages/pypi/simple |
The PyPi Simple Project Index Endpoint |
| Packages: Read | READ_PACKAGES |
GET /projects/:id/packages |
Get a list of project packages |
| Packages: Read | READ_PACKAGES |
POST /groups/:id/-/packages/npm/-/npm/v1/security/advisories/bulk |
NPM registry bulk advisory endpoint |
| Packages: Read | READ_PACKAGES |
POST /groups/:id/-/packages/npm/-/npm/v1/security/audits/quick |
NPM registry quick audit endpoint |
| Packages: Read | READ_PACKAGES |
POST /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/upload_urls |
Package Upload Urls |
| Packages: Read | READ_PACKAGES |
POST /packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/upload_urls |
Recipe Upload Urls |
| Packages: Read | READ_PACKAGES |
POST /packages/npm/-/npm/v1/security/advisories/bulk |
NPM registry bulk advisory endpoint |
| Packages: Read | READ_PACKAGES |
POST /packages/npm/-/npm/v1/security/audits/quick |
NPM registry quick audit endpoint |
| Packages: Read | READ_PACKAGES |
POST /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/upload_urls |
Package Upload Urls |
| Packages: Read | READ_PACKAGES |
POST /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/upload_urls |
Recipe Upload Urls |
| Packages: Read | READ_PACKAGES |
POST /projects/:id/packages/npm/-/npm/v1/security/advisories/bulk |
NPM registry bulk advisory endpoint |
| Packages: Read | READ_PACKAGES |
POST /projects/:id/packages/npm/-/npm/v1/security/audits/quick |
NPM registry quick audit endpoint |
| Releases: Read and write | ADMIN_RELEASES |
DELETE /projects/:id/releases/:tag_name/assets/links/:link_id |
Delete a release link |
| Releases: Read and write | ADMIN_RELEASES |
DELETE /projects/:id/releases/:tag_name |
Delete a release |
| Releases: Read and write | ADMIN_RELEASES |
POST /projects/:id/catalog/publish |
Publish a new component project release as version to the CI/CD catalog |
| Releases: Read and write | ADMIN_RELEASES |
POST /projects/:id/releases/:tag_name/assets/links |
Create a release link |
| Releases: Read and write | ADMIN_RELEASES |
POST /projects/:id/releases/:tag_name/evidence |
Collect release evidence |
| Releases: Read and write | ADMIN_RELEASES |
POST /projects/:id/releases |
Create a release |
| Releases: Read and write | ADMIN_RELEASES |
PUT /projects/:id/releases/:tag_name/assets/links/:link_id |
Update a release link |
| Releases: Read and write | ADMIN_RELEASES |
PUT /projects/:id/releases/:tag_name |
Update a release |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases/:tag_name/assets/links/:link_id |
Get a release link |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases/:tag_name/assets/links |
List links of a release |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases/:tag_name/downloads/*direct_asset_path |
Download a project release asset file |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases/:tag_name |
Get a release by a tag name |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases/permalink/latest(/)(*suffix_path) |
Get the latest project release |
| Releases: Read | READ_RELEASES |
GET /projects/:id/releases |
List Releases |
| Releases: Read | READ_RELEASES |
GET /projects/:id/repository/changelog |
Generates a changelog section for a release and returns it |
| Secure files: Read and write | ADMIN_SECURE_FILES |
DELETE /projects/:id/secure_files/:secure_file_id |
Remove a secure file |
| Secure files: Read and write | ADMIN_SECURE_FILES |
POST /projects/:id/secure_files |
Create a secure file |
| Secure files: Read | READ_SECURE_FILES |
GET /projects/:id/secure_files/:secure_file_id/download |
Download secure file |
| Secure files: Read | READ_SECURE_FILES |
GET /projects/:id/secure_files/:secure_file_id |
Get the details of a specific secure file in a project |
| Secure files: Read | READ_SECURE_FILES |
GET /projects/:id/secure_files |
Get list of secure files in a project |
| Terraform state: Read and write | ADMIN_TERRAFORM_STATE |
DELETE /projects/:id/terraform/state/:name/lock |
Unlock a Terraform state of a certain name |
| Terraform state: Read and write | ADMIN_TERRAFORM_STATE |
DELETE /projects/:id/terraform/state/:name/versions/:serial |
Delete a Terraform state version |
| Terraform state: Read and write | ADMIN_TERRAFORM_STATE |
DELETE /projects/:id/terraform/state/:name |
Delete a Terraform state of a certain name |
| Terraform state: Read and write | ADMIN_TERRAFORM_STATE |
POST /projects/:id/terraform/state/:name/lock |
Lock a Terraform state of a certain name |
| Terraform state: Read and write | ADMIN_TERRAFORM_STATE |
POST /projects/:id/terraform/state/:name |
Add a new Terraform state or update an existing one |
| Terraform state: Read | READ_TERRAFORM_STATE |
GET /projects/:id/terraform/state/:name/versions/:serial |
Get a Terraform state version |
| Terraform state: Read | READ_TERRAFORM_STATE |
GET /projects/:id/terraform/state/:name |
Get a Terraform state by its name |