Breaking change: Allow guest users to pull packages from private projects on GitLab.com
Background
Currently, GitLab.com users cannot allow guest users to pull packages and container images from private projects. This functionality exists in self-managed instances via internal projects. We aim to provide similar flexibility for GitLab.com users while maintaining appropriate access controls.
Objective
Implement a breaking change to allow guest users to pull packages and container images from private projects on GitLab.com, aligning the experience with self-managed instances.
Implementation Details
- Update the permissions model to allow guest users to pull packages and container images from private projects by default.
- Implement this change as a breaking change in version 18.0.
- Use a feature flag to control this functionality until the official 18.0 release.
Timeline
- 17.6 (November 2023): Make the deprecation announcement
- 17.7 or 17.8 (December 2023 or January 2024): Schedule the implementation behind a feature flag
- 18.0 (May 2024): Remove the feature flag and fully implement the change
Communication Plan
- Create breaking change announcements in 17.6
- Update relevant documentation to reflect the upcoming changes
- Provide feature flag information for early testing and adoption
Success Criteria
- Guest users can pull packages and images from private projects on GitLab.com
- No degradation in system performance
- Clear documentation on the new behavior
- Smooth transition for users migrating from self-managed to GitLab.com
Open Questions
- Are there any security implications we need to consider?
- How will this change affect existing workflows and integrations?
- What metrics should we track to measure the impact of this change?
Edited by Tim Rizzi