When a new user logs into gitlab.wikimedia.org their account is placed in a "blocked_pending_approval" state. They are shown a banner explaining how to request that their account be approved by creating a task in the GitLab (Account Approval) project or otherwise being added to a trusted contributor list. We see new tickets in the Phab project regularly, so it is reasonable to assume folks actually can see this banner at some point.

Right now we have no automated process to reject accounts that have sat in pending approval state for days/weeks/months. @bd808 has manually rejected stale accounts without open Phabricator tasks asking for approval in the past, so we don't currently have any that have been stuck for years. These accounts are however processed by Tool-gitlab-account-approval every 3 minutes, 24 hours per day, 7 days a week. Each time the job runs it will check each user for trust in LDAP (Toolforge), Gerrit, and Phabricator before giving up and leaving them in the pending state.

Rejecting a pending account removes it from the gitlab database without prejudice. The user could come back at any time and login again if they wanted to recreate the account and apply for approval.

The only negative consequence would be rejecting an account while there is an open Phabricator task attempting to establish their trust relationship. If that happened it would not be possible for a GitLab admin to actually approve the account until the user recreated it by logging into gitlab.wikimedia.org again.

glaab should have a new cli option that enables rejecting pending accounts which are not currently trusted. The option should take a numeric argument indicating how many days the account should be pending before being rejected. When an account is rejected that action should be logged on wiki in a similar manner as account approvals. The log message should include the number of days the account was pending before being rejected. That might look something like "stale-account" was rejected after 90 days in pending state.