Add job and deploy token authentication to npm dist-tag routes.
Problem to solve
As discussed in #220985 (comment 420787332)
It looks like the npm dist tag
routes simply don't support job tokens or deploy tokens (only the install and publish routes do).
This prevents you from being able to add tags using GitLab CI. Which is a major blocker for many in the Community.
Intended users
User experience goal
Users of GitLab's NPM registry should be able to use npm
(the command-line tool) exactly the same way as they do when interacting with packages on https://www.npmjs.com/.
Proposal
Add job token and deploy token auth to npm dist-tag routes.
Workaround available
A workaround has been identified here #258835 (comment 511212800)
A workaround, that worked for us was to use
npm publish --tag
directly without the explicit call tonpm dist-tag
.
Documentation
- Add CI examples to https://docs.gitlab.com/ee/user/packages/npm_registry/#npm-distribution-tags
- Remove note added in !43791 (merged)
What does success look like, and how can we measure that?
Users of the GitLab NPM registry can tag their dependencies using GItLab CI.
Metrics
- Measure npm dist-tag routes via snowplow, so that we can understand how often this route is used on GitLab.com.