Merge branch '351962-deprecate-application-setting-enforce-pat-expiration' into 'master'

Announce deprecation of the option to disable PAT expiration

See merge request gitlab-org/gitlab!79904

data/deprecations/14-8-enforce-pat-expiration.yml

+- name: "Optional enforcement of PAT expiration" # The name of the feature to be deprecated
+  announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
+  announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
+  removal_milestone: "15.0" # The milestone when this feature is planned to be removed
+  removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
+  breaking_change: true # If this deprecation is a breaking change, set this value to true
+  reporter: djensen # GitLab username of the person reporting the deprecation
+  body: | # Do not modify this line, instead modify the lines below.
+    The feature to disable enforcement of PAT expiration is unusual from a security perspective.
+    We have become concerned that this unusual feature could create unexpected behavior for users.
+    Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/351962" # (optional) This is a link to the deprecation issue in GitLab
+  documentation_url: "https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#allow-expired-personal-access-tokens-to-be-used-deprecated" # (optional) This is a link to the current documentation page

doc/update/deprecations.md

@@ -753,6 +753,20 @@ To align with this change, API calls to list external status checks will also re
 
 **Planned removal milestone: 15.0 (2022-05-22)**
 
+### Optional enforcement of PAT expiration
+
+WARNING:
+This feature will be changed or removed in 15.0
+as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
+Before updating GitLab, review the details carefully to determine if you need to make any
+changes to your code, settings, or workflow.
+
+The feature to disable enforcement of PAT expiration is unusual from a security perspective.
+We have become concerned that this unusual feature could create unexpected behavior for users.
+Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
+
+**Planned removal milestone: 15.0 (2022-05-22)**
+
 ### Querying Usage Trends via the `instanceStatisticsMeasurements` GraphQL node
 
 WARNING:

doc/user/admin_area/credentials_inventory.md

@@ -38,7 +38,7 @@ The following is an example of the Credentials inventory page:
 
 If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table:
 
-| Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used) | Show Revoke button? | Comments |
+| Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used-deprecated) | Show Revoke button? | Comments |
 |-------------|------------------------|--------------------|----------------------------------------------------------------------------|
 | Active      | Yes                    | Yes                | Allows administrators to revoke the PAT, such as for a compromised account |
 | Active      | No                     | Yes                | Allows administrators to revoke the PAT, such as for a compromised account |

doc/user/admin_area/settings/account_and_limit_settings.md

@@ -283,10 +283,14 @@ Once a lifetime for personal access tokens is set, GitLab:
   allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
   or remove it, before revocation takes place.
 
-## Allow expired Personal Access Tokens to be used **(ULTIMATE SELF)**
+## Allow expired Personal Access Tokens to be used (DEPRECATED) **(ULTIMATE SELF)**
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1.
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9.
+> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8.
+
+WARNING:
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8.
 
 By default, expired personal access tokens (PATs) **are not usable**.
 

doc/user/profile/personal_access_tokens.md

@@ -111,7 +111,7 @@ Personal access tokens expire on the date you define, at midnight UTC.
 - In GitLab Ultimate, administrators can
   [limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens).
 - In GitLab Ultimate, administrators can choose whether or not to
-  [enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used).
+  [enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used-deprecated).
 
 ## Create a personal access token programmatically **(FREE SELF)**