From 82084b12753b4e6fcdaac11c9d14b6a582f3ef76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Pervill=C3=A9?=
 <julien.perville@perfect-memory.com>
Date: Wed, 6 May 2026 16:22:19 +0200
Subject: [PATCH] Add support for Gitlab group deploy tokens API.

See https://docs.gitlab.com/api/deploy_tokens/#group-deploy-tokens
---
 lib/gitlab/client/groups.rb                   | 58 ++++++++++++++++
 spec/fixtures/group_deploy_token_create.json  |  1 +
 spec/fixtures/group_deploy_token_get.json     |  1 +
 spec/fixtures/group_deploy_token_get_all.json |  1 +
 spec/gitlab/client/groups_spec.rb             | 69 +++++++++++++++++++
 5 files changed, 130 insertions(+)
 create mode 100644 spec/fixtures/group_deploy_token_create.json
 create mode 100644 spec/fixtures/group_deploy_token_get.json
 create mode 100644 spec/fixtures/group_deploy_token_get_all.json

diff --git a/lib/gitlab/client/groups.rb b/lib/gitlab/client/groups.rb
index 54d69c6c8..169764844 100644
--- a/lib/gitlab/client/groups.rb
+++ b/lib/gitlab/client/groups.rb
@@ -523,4 +523,62 @@ def create_group_access_token(group_id, name, scopes, access_level = nil, expire
   def revoke_group_access_token(group_id, group_access_token_id)
     delete("/groups/#{group_id}/access_tokens/#{group_access_token_id}")
   end
+
+  # Get all deploy tokens for a group
+  #
+  # @example
+  #   Gitlab.group_deploy_tokens(1)
+  #   Gitlab.group_deploy_tokens(1, active: true)
+  #
+  # @param  [Integer] group_id The ID of the group.
+  # @param  [Hash] options A customizable set of options.
+  # @option options [Boolean] :active Limit by active status.
+  # @return [Array<Gitlab::ObjectifiedHash>]
+  def group_deploy_tokens(group_id, options = {})
+    get("/groups/#{group_id}/deploy_tokens", query: options)
+  end
+
+  # Get group deploy token information
+  #
+  # @example
+  #   Gitlab.group_deploy_token(1, 1)
+  #
+  # @param  [Integer] group_id The ID of the group.
+  # @param  [Integer] group_deploy_token_id ID of the group deploy token.
+  # @return [Gitlab::ObjectifiedHash]
+  def group_deploy_token(group_id, group_deploy_token_id)
+    get("/groups/#{group_id}/deploy_tokens/#{group_deploy_token_id}")
+  end
+
+  # Create group deploy token
+  #
+  # @example
+  #   Gitlab.create_group_deploy_token(2, "token", ["api", "read_user"])
+  #   Gitlab.create_group_deploy_token(2, "token", ["api", "read_user"], "1970-01-01")
+  #   Gitlab.create_group_deploy_token(2, "token", ["api", "read_user"], "1970-01-01", 'myuser')
+  #
+  # @param  [Integer] group_id The ID of the group.
+  # @param  [String] name Name for group deploy token.
+  # @param  [Array<String>] scopes Array of scopes for the group deploy token
+  # @param  [String] expires_at Date for the group deploy token expiration in ISO format.
+  # @param  [String] username Username for the group deploy token.
+  # @return [Gitlab::ObjectifiedHash]
+  def create_group_deploy_token(group_id, name, scopes, expires_at = nil, username = nil)
+    body = { name: name, scopes: scopes }
+    body[:expires_at] = expires_at if expires_at
+    body[:username] = username if username
+    post("/groups/#{group_id}/deploy_tokens", body: body)
+  end
+
+  # Revoke a group deploy token
+  #
+  # @example
+  #   Gitlab.revoke_group_deploy_token(1, 1)
+  #
+  # @param  [Integer] group_id The ID of the group.
+  # @param  [Integer] group_deploy_token_id ID of the group deploy token.
+  # @return [Gitlab::ObjectifiedHash]
+  def revoke_group_deploy_token(group_id, group_deploy_token_id)
+    delete("/groups/#{group_id}/deploy_tokens/#{group_deploy_token_id}")
+  end
 end
diff --git a/spec/fixtures/group_deploy_token_create.json b/spec/fixtures/group_deploy_token_create.json
new file mode 100644
index 000000000..8179bf18f
--- /dev/null
+++ b/spec/fixtures/group_deploy_token_create.json
@@ -0,0 +1 @@
+{"id":2,"name":"mytoken","username":"gitlab+deploy-token-1","expires_at":null,"token":"jMRvtPNxrn3crTAGukpZ","revoked":false,"expired":false,"scopes":["api"]}
diff --git a/spec/fixtures/group_deploy_token_get.json b/spec/fixtures/group_deploy_token_get.json
new file mode 100644
index 000000000..c9182647c
--- /dev/null
+++ b/spec/fixtures/group_deploy_token_get.json
@@ -0,0 +1 @@
+{"id":2,"name":"MyToken1","username":"gitlab+deploy-token-1","expires_at":null,"revoked":false,"expired":false,"scopes":["api"]}
diff --git a/spec/fixtures/group_deploy_token_get_all.json b/spec/fixtures/group_deploy_token_get_all.json
new file mode 100644
index 000000000..efd101891
--- /dev/null
+++ b/spec/fixtures/group_deploy_token_get_all.json
@@ -0,0 +1 @@
+[{"id":2,"name":"MyToken1","username":"gitlab+deploy-token-1","expires_at":null,"revoked":false,"expired":false,"scopes":["api"]},{"id":3,"name":"MyToken2","username":"gitlab+deploy-token-2","expires_at":"2026-12-25T00:00:00.000Z","revoked":false,"expired":false,"scopes":["read_registry"]}]
diff --git a/spec/gitlab/client/groups_spec.rb b/spec/gitlab/client/groups_spec.rb
index 5ab69f87d..80ff9cf33 100644
--- a/spec/gitlab/client/groups_spec.rb
+++ b/spec/gitlab/client/groups_spec.rb
@@ -650,4 +650,73 @@
       end
     end
   end
+
+  describe 'group deploy tokens' do
+    describe 'get all' do
+      before do
+        stub_get('/groups/2/deploy_tokens', 'group_deploy_token_get_all')
+        @tokens = Gitlab.group_deploy_tokens(2)
+      end
+
+      it 'gets the correct resource' do
+        expect(a_get('/groups/2/deploy_tokens')).to have_been_made
+      end
+
+      it 'gets an array of group deploy tokens' do
+        expect(@tokens.first.id).to eq(2)
+        expect(@tokens.last.id).to eq(3)
+      end
+    end
+
+    describe 'get one' do
+      before do
+        stub_get('/groups/2/deploy_tokens/2', 'group_deploy_token_get')
+        @token = Gitlab.group_deploy_token(2, 2)
+      end
+
+      it 'gets the correct resource' do
+        expect(a_get('/groups/2/deploy_tokens/2')).to have_been_made
+      end
+
+      it 'gets a group deploy token' do
+        expect(@token.name).to eq('MyToken1')
+        expect(@token.username).to eq('gitlab+deploy-token-1')
+        expect(@token.id).to eq(2)
+      end
+    end
+
+    describe 'create' do
+      before do
+        stub_post('/groups/2/deploy_tokens', 'group_deploy_token_create')
+        @token = Gitlab.create_group_deploy_token(2, 'mytoken', ['api'])
+      end
+
+      it 'gets the correct resource' do
+        expect(a_post('/groups/2/deploy_tokens').with(body: 'name=mytoken&scopes%5B%5D=api')).to have_been_made
+      end
+
+      it 'returns a valid group deploy token' do
+        expect(@token.name).to eq('mytoken')
+        expect(@token.username).to eq('gitlab+deploy-token-1')
+        expect(@token.id).to eq(2)
+        expect(@token.revoked).to be_falsey
+        expect(@token.expired).to be_falsey
+        expect(@token.token).to eq('jMRvtPNxrn3crTAGukpZ')
+      end
+    end
+
+    describe 'revoke' do
+      before do
+        stub_request(:delete, "#{Gitlab.endpoint}/groups/2/deploy_tokens/2")
+          .with(headers: { 'PRIVATE-TOKEN' => Gitlab.private_token })
+          .to_return(status: 204)
+        @token = Gitlab.revoke_group_deploy_token(2, 2)
+      end
+
+      it 'removes a group deploy token' do
+        expect(a_delete('/groups/2/deploy_tokens/2')).to have_been_made
+        expect(@token.to_hash).to be_empty
+      end
+    end
+  end
 end