Protected packages: npm packages push protection
requested to merge gitlab-community/gitlab:323970-protected-packages-npm-push-protection into master
What does this MR do and why?
- This MR enables the package protection for the package format 'npm'.
- When a
PackageProtectionRule
exists then newly pushed packages will be protected / rejected. - This MR concentrates only on push protection for new packages; deletion protection of packages is out of scope for this MR.
- This MR is part of the EPIC Identify packages as protected to prevent accid... (&5574)
Screenshots or screen recordings
There are no visuals for this MR. The local validation steps contain a demo of the rejected command when a package is pushed.
How to set up and validate locally
rails db:migrate
- Enable feature flag via
rails c
Feature.enable(:packages_protected_packages)
- Open the rails console (
rails c
) and start playing around with the new model
Packages::Protection::Rule.create(
project: Project.find_by(name: "Flight"),
package_name_pattern: "@flightjs/test-npm-package-*",
package_type: :npm,
push_protected_up_to_access_level: :owner
)
- Create a dummy project for npm package for testing publishing
# Go to a directory outside of the gitlab and gdk directory
mkdir test-npm-package && cd test-npm-package
npm init esm --yes
- Adjust the package name in
package.json
and set it to"@flightjs/test-npm-package-prod"
<= this should match the given package_name_pattern in step 3 - Create or adjust file
.npmrc
in order to push the npm package to the GitLab registry, see https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticating-via-the-npmrc - Publish npm test package
NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish
- Pushing the package should be blocked by the
Packages::Protection::Rule
💥 - Now, change the package name in
package.json
and set it to"@flightjs/test-npm-package2-prod"
<= this will not match the given package_name_pattern in step 3 - Now, try again to publish the npm package
NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish
- Pushing the npm package should not be blocked by the
Packages::Protection::Rule
as the package name does not match👍
Todos
-
Refactor code
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Wait for Protected packages: Add model and migration for... (!124776 - merged) to be merged -
Wait for Protected packages: Adding new scope for_packag... (!131298 - merged) to be merged
-
Related to #323970
Edited by Gerardo Navarro