CI/CD pipelines often inherit overprivileged permissions from user accounts, creating significant security risks if pipelines are compromised or tokens are leaked. GitLab 18.3 introduces fine-grained permissions for job tokens to solve this problem, moving this security enhancement from Beta to GA.This capability allows maintainers to implement granular permissions that control job token access to API resources. Following the principle of least privilege, these job tokens have no ability to access any API resources until you explicitly grant them permissions.This initial release includes fine-grained permissions for the following resources:RepositoriesDeploymentsEnvironmentsJobsPackagesPipelinesReleasesSecure FilesTerraform StateAdditional API endpoints are planned for future releases. For more information, see the associated epic.The bigger pictureThis release represents a critical step in GitLab's broader mission to improve your software supply chain security. Historically, job tokens have been bound to the user running the pipeline, inheriting their privileges and creating security risks if pipelines are compromised.Fine-grained permissions for job tokens provide a foundation for a more secure CI/CD ecosystem that:Reduces attack surface: Implements the principle of least privilege by limiting access to only necessary resourcesEliminates dependency on long-lived tokens: Provides a secure alternative that reduces the need for personal access tokens and other persistent credentialsPrepares for machine-based identity: This opt-in approach lays the groundwork for eventually decoupling job tokens from user identities entirely, moving toward true machine-to-machine authenticationEnables secure automation at scale: Supports complex deployment workflows and CI/CD components without compromising securityGetting startedSecurity teams and DevOps engineers should evaluate this feature for any projects running automated deployments, package publishing, or infrastructure management. Since this is an opt-in capability, you can migrate gradually to minimize disruption to your existing pipelines.Start by identifying your most critical pipelines and auditing their current permission requirements. Then enable fine-grained permissions and configure the minimal access needed for each project. For more information, see the documentation on fine-grained permissions for CI/CD job tokens.