Add configuration of access_level for runners on registration via API

Allow setting access_level of new runner to not_protected (default) or ref_protected
Minor update to relevant docs and tests

4 files changed, 35 insertions, 1 deletions

diff --git a/changelogs/unreleased/add-runner-access-level-registration.yml b/changelogs/unreleased/add-runner-access-level-registration.yml
new file mode 100644
index 00000000000..7ae95025abb
--- /dev/null
+++ b/changelogs/unreleased/add-runner-access-level-registration.yml
@@ -0,0 +1,5 @@
+---
+title: Add option to set access_level of runners upon registration
+merge_request: 27490
+author: Zelin L
+type: added
diff --git a/doc/api/runners.md b/doc/api/runners.md
index 46f7b1d2a25..2d91428d1c1 100644
--- a/doc/api/runners.md
+++ b/doc/api/runners.md
@@ -486,6 +486,7 @@ POST /runners
 | `locked`     | boolean| no       | Whether the Runner should be locked for current project |
 | `run_untagged` | boolean | no | Whether the Runner should handle untagged jobs |
 | `tag_list` | Array[String] | no | List of Runner's tags |
+| `access_level`    | string   | no       | The access_level of the runner; `not_protected` or `ref_protected` |
 | `maximum_timeout` | integer | no | Maximum timeout set when this Runner will handle the job |
 
 ```
diff --git a/lib/api/runner.rb b/lib/api/runner.rb
index c60d25b88cb..ea36c24eca2 100644
--- a/lib/api/runner.rb
+++ b/lib/api/runner.rb
@@ -15,12 +15,14 @@ module API
         optional :info, type: Hash, desc: %q(Runner's metadata)
         optional :active, type: Boolean, desc: 'Should Runner be active'
         optional :locked, type: Boolean, desc: 'Should Runner be locked for current project'
+        optional :access_level, type: String, values: Ci::Runner.access_levels.keys,
+                                desc: 'The access_level of the runner'
         optional :run_untagged, type: Boolean, desc: 'Should Runner handle untagged jobs'
         optional :tag_list, type: Array[String], desc: %q(List of Runner's tags)
         optional :maximum_timeout, type: Integer, desc: 'Maximum timeout set when this Runner will handle the job'
       end
       post '/' do
-        attributes = attributes_for_keys([:description, :active, :locked, :run_untagged, :tag_list, :maximum_timeout])
+        attributes = attributes_for_keys([:description, :active, :locked, :run_untagged, :tag_list, :access_level, :maximum_timeout])
           .merge(get_runner_details_from_request)
 
         attributes =
diff --git a/spec/requests/api/runner_spec.rb b/spec/requests/api/runner_spec.rb
index 3585a827838..29515709a74 100644
--- a/spec/requests/api/runner_spec.rb
+++ b/spec/requests/api/runner_spec.rb
@@ -168,6 +168,32 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
         end
       end
 
+      context 'when access_level is provided for Runner' do
+        context 'when access_level is set to ref_protected' do
+          it 'creates runner' do
+            post api('/runners'), params: {
+                                    token: registration_token,
+                                    access_level: 'ref_protected'
+                                  }
+
+            expect(response).to have_gitlab_http_status 201
+            expect(Ci::Runner.first.ref_protected?).to be true
+          end
+        end
+
+        context 'when access_level is set to not_protected' do
+          it 'creates runner' do
+            post api('/runners'), params: {
+                                    token: registration_token,
+                                    access_level: 'not_protected'
+                                  }
+
+            expect(response).to have_gitlab_http_status 201
+            expect(Ci::Runner.first.ref_protected?).to be false
+          end
+        end
+      end
+
       context 'when maximum job timeout is specified' do
         it 'creates runner' do
           post api('/runners'), params: {