Context
ADR 0028 (GitLab Support Architecture) was deprecated because the surrounding infrastructure changed significantly since it was written — the token mint (ADR 0029), synchronous dispatch (ADR 0041), reusable workflows (ADR 0031), and per-repo mode (ADR 0033) all shifted the baseline.
Decision
ADR 0043 supersedes ADR 0028 with a webhook bridge architecture:
- Bridge Cloud Function: Translates GitLab webhooks into pipeline triggers, isolating untrusted payload handling from the token mint
- GitLab OIDC via JWKS: Child pipelines authenticate to the mint using GitLab OIDC tokens
- Project Access Tokens: Per-role per-project PATs stored in Secret Manager, distributed through the existing mint model
- Defense in depth: Hardcoded ref, protected CI/CD variables, per-project webhook secrets
Deliverables
Context
ADR 0028 (GitLab Support Architecture) was deprecated because the surrounding infrastructure changed significantly since it was written — the token mint (ADR 0029), synchronous dispatch (ADR 0041), reusable workflows (ADR 0031), and per-repo mode (ADR 0033) all shifted the baseline.
Decision
ADR 0043 supersedes ADR 0028 with a webhook bridge architecture:
Deliverables
docs/problems/gitlab-support.md) covering 7 phases