Use GitLab metadata to verify and troubleshoot packages

Problem to solve

The GitLab Package Registry allows users to build, publish and share images using the command line or GitLab CI/CD. GitLab also provides a user interface, where users can view, download and delete packages (maven, npm, conan) at the project and group level. However, the user interface does not include any information about who created a given package and how it was published.

This is a problem because users need that metadata in order to identify that a package was built correctly and to confirm they are using the correct version of the package.

User stories

• I as a developer, when I am navigating to the Package Registry, need to confirm that my package was built correctly and that I am using the correct version, so that I can ship high quality code. (This user story comes from our most recent user survey)

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Proposal

Include build details, such as pipeline_id, branch, commit and commit_sha for any package being hosted in the GitLab Package Registry that has been built utilizing GitLab CI/CD.

• pipeline_id should link to the pipeline details page to help users troubleshoot when something has gone wrong.
• branch and commit should link to their respective repositories to help the user find/verify the code that built a specific package.
• commit_sha should be easily copyably to ensure the user can leverage this information elsewhere.

Further details

User survey results

• Based on a recent survey, users ranked the metadata that is most important to them:

User interface

Permissions and Security

• There are no permissions changes required for this issue.

Documentation

• There are no documentation changes required for this issue.

What does success look like, and how can we measure that?

• Success looks like users are able to confirm that their package was built correctly and that they are using the correct version.
• We can measure this by measuring engagement with the Package Registry UI
  • Page views
  • Links clicked in the UI

What is the type of buyer?

• Premium