In Gitlab 17.9 a new scope for access_tokens was added, to allow an access token to rotate it self. this feature should be used, instead of the current mechanism to wait for an owner to access the site and rotate it with his credentials.
The old token is unusable instantly, so we should only update it, when no one is using the token at the moment!
To achieve this we need two tokens for each classroom, the first one is the current, the second one is the backup. When rotation is due, we rotate the backup key, move the current to backup and set the current to the new token.
This rotation is done on a daily bases, right before the next sync happens.
In Gitlab 17.9 a new scope for access_tokens was added, to allow an access token to rotate it self. this feature should be used, instead of the current mechanism to wait for an owner to access the site and rotate it with his credentials.
The old token is unusable instantly, so we should only update it, when no one is using the token at the moment!
To achieve this we need two tokens for each classroom, the first one is the current, the second one is the backup. When rotation is due, we rotate the backup key, move the current to backup and set the current to the new token.
This rotation is done on a daily bases, right before the next sync happens.