1 files changed, 17 insertions, 2 deletions

diff --git a/app/workers/personal_access_tokens/expiring_worker.rb b/app/workers/personal_access_tokens/expiring_worker.rb
index f9940d9d014..7a016c85a64 100644
--- a/app/workers/personal_access_tokens/expiring_worker.rb
+++ b/app/workers/personal_access_tokens/expiring_worker.rb
@@ -7,17 +7,32 @@ module PersonalAccessTokens
 
     feature_category :authentication_and_authorization
 
+    MAX_TOKENS = 100
+
     def perform(*args)
       notification_service = NotificationService.new
       limit_date = PersonalAccessToken::DAYS_TO_EXPIRE.days.from_now.to_date
 
       User.with_expiring_and_not_notified_personal_access_tokens(limit_date).find_each do |user|
         with_context(user: user) do
-          notification_service.access_token_about_to_expire(user)
+          expiring_user_tokens = user.personal_access_tokens.without_impersonation.expiring_and_not_notified(limit_date)
+
+          # rubocop: disable CodeReuse/ActiveRecord
+          # We never materialise the token instances. We need the names to mention them in the
+          # email. Later we trigger an update query on the entire relation, not on individual instances.
+          token_names = expiring_user_tokens.limit(MAX_TOKENS).pluck(:name)
+          # We're limiting to 100 tokens so we avoid loading too many tokens into memory.
+          # At the time of writing this would only affect 69 users on GitLab.com
+
+          # rubocop: enable CodeReuse/ActiveRecord
+
+          notification_service.access_token_about_to_expire(user, token_names)
 
           Gitlab::AppLogger.info "#{self.class}: Notifying User #{user.id} about expiring tokens"
 
-          user.personal_access_tokens.without_impersonation.expiring_and_not_notified(limit_date).update_all(expire_notification_delivered: true)
+          expiring_user_tokens.each_batch do |expiring_tokens|
+            expiring_tokens.update_all(expire_notification_delivered: true)
+          end
         end
       end
     end