We'll have a few use-cases (auditjs, snyk, etc.) where we will likely need to pass an API token of some sort for more efficient or licensed access to their services.
- Can we even do this via gitlab.wikimedia.org's runners? Shouldn't be a problem for runners at wmcs, I'd guess, but for runners hosted within Wikimedia production, they'd have to proxy out somehow. Maybe that can just be transparent to Gitlab's ci?
- Should these be masked environment variables? Or environment variables restricted to protected branches / repos?
- How does a group like the Security-Team create and manage these types of accounts which would cut a token for some group (or even all) users of Wikimedia's Gitlab ci?