Add a group-level endpoint to the Go module proxy
Followup to #27376 (closed), !27746 (merged)
Background
Go uses a source-based dependency management system, whereas most other dependency management systems are artifact-based. This is to say, Go dependencies are ultimately fetched directly from their source VCS repository, but dependencies in other systems are artifacts that have been uploaded to a package repository. Another unique feature of the Go ecosystem is the name of a package (excluding stdlib) must be a valid URL, sans the scheme (e.g. golang.org/x/text
). Thus, Go modules are defined by the source repository and have unique names.
Problem to solve
A group-level Go proxy endpoint should be added to ee/lib/api/go_proxy.rb
, to allow all Go modules in a group to be fetched from a single endpoint. Currently, the Go module proxy (MVC) only has a project-level endpoint. Given how Go is configured, this requires an entry in GOPROXY
(an environment variable) for each project.
Additionally this would allow configuration of the Go module proxy on a per-group basis.
Intended users
- Rachel (Release Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
Further details
TODO
Proposal
ee/lib/api/go_proxy.rb
currently exposes an API at /projects/:id/packages/go/*module_name/@v/...
. Another should be added at /groups/:id/packages/go/*module_name/@v/...
Given that Go module names are always a URL, and given that the current implementation* only exposes modules that match the project they are contained in, namespace collisions are not a concern.
- #213761 would allow a project to host modules that use an external URL. It would also require validation that the URL directs Go to that project. This should prevent any collisions between external 'vanity URLs'.
Permissions and Security
The logic for resolving a Go module to a GitLab project is straightforward. From there, the existing validation that checks if the authenticated user is authorized to view the modules of the project should suffice.
Documentation
- administration/packages/index.md
- user/packages/go_proxy/index.md
- development/packages.md
- api/packages.md
Availability & Testing
TODO
What does success look like, and how can we measure that?
There is a group-level endpoint that conforms to the Go module proxy specification (see go help goproxy
) that exposes the Go modules of projects within the group.
What is the type of buyer?
- Individual Contributor
- Manager
- Director
Is this a cross-stage feature?
Not sure.