<!-- This issue template can be used as a great starting point for feature requests. Learn more about the process: https://handbook.gitlab.com/handbook/product/how-to-engage/#customer-feature-requests. The section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated using the release post item generator: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator. The remaining sections are the backbone for every feature in GitLab. The goal of this template is brevity for quick/smaller iterations. For a more thorough list of considerations for larger features or feature sets, you can leverage the detailed [feature proposal](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal%20-%20detailed.md). --> ### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> ### Problem to solve Application Owners rely on deploy tokens for automation. When these tokens are about to expire, they'd like to be informed so that they can renew the token and the automation doesn't break. ### Proposal Add a new email notification at the project level that sends notifications to project owners before a project deploy token expires. * deploy token expiring in 60 days * deploy token expiring in 30 days * deploy token expiring in 7 days * send 1 notification per expiring token Here is the e-mail that is generated for personal access tokens, this can be similar: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/19296 ### Intended users * [Allison (Application Ops)](https://handbook.gitlab.com/handbook/product/personas/#allison-application-ops) ### Feature Usage Metrics - click-through count from sent e-mail to GitLab ### Does this feature require an audit event? No ### Implementation Guide Implementation will have a lot of overlap with the existing process used to send notifications for expiring personal/project/group access tokens. See `PersonalAccessTokens::ExpiringWorker`, `NotificationService.bot_resource_access_token_about_to_expire`, `Emails::Profile.bot_resource_access_token_about_to_expire_email` and the associated email templates, `bot_resource_access_token_about_to_expire_email.html.haml`/`bot_resource_access_token_about_to_expire_email.text.erb`. - Add columns and indexes to `deploy_tokens` to store when the expiry notifications were sent. An example of where this was done previously can be found in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165257. - Add a new mailer method to `Email::Profile`, and associated text/html email templates. These will be very similar to `bot_resource_access_token_about_to_expire_email`, with adjusted wording in the email templates to reflect the type of token. The first iteration will be specific to project deploy tokens (notifications for group tokens will be added in https://gitlab.com/gitlab-org/gitlab/-/issues/512196). - Add a new [Sidekiq](https://docs.gitlab.com/ee/development/sidekiq/) worker, `DeployTokens::ExpiringWorker`, that is scheduled to run once a day (similar to the [personal access tokens worker](https://gitlab.com/gitlab-org/gitlab/-/blob/6d540df2eb27a6c348f36040e900dd3fee5cf2be/config/initializers/1_settings.rb#L524-526), but at a different time of day). This will also be similar to the equivalent `ExpiringWorker` for personal tokens, and it will have very similar behaviour - iterate over every (project) deploy token that is due for a notification, and generate the email added in the previous step.