We'll have a few use-cases (auditjs, snyk, etc.) where we will likely need to pass an API token of some sort for more efficient or licensed access to their services.

1. Can we even do this via gitlab.wikimedia.org's runners? Shouldn't be a problem for runners at wmcs, I'd guess, but for runners hosted within Wikimedia production, they'd have to proxy out somehow. Maybe that can just be transparent to Gitlab's ci?
2. Should these be masked environment variables? Or environment variables restricted to protected branches / repos?
3. How does a group like the Security-Team create and manage these types of accounts which would cut a token for some group (or even all) users of Wikimedia's Gitlab ci?