Protected packages: PyPI package push protection
requested to merge gitlab-community/gitlab:323971-protected-packages-pypi-push-protection into master
What does this MR do and why?
- Push protecting pypi packages when a package protection rule exists.
- Enabling pypi as a valid package type for package protection rules.
- This MR enables the package protection for the package format 'pypi'.
- When a
PackageProtectionRule
exists then newly pushed pypi packages will be protected / rejected. - This MR concentrates only on push protection for pypi packages; delete protection of pypi packages is out of scope for this MR.
- This MR is part of the EPIC Identify packages as protected to prevent accid... (&5574)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
Individal Notes (@gerardo-navarro)
Todos
Other refactoring opportunities
-
Rename helper on top of file -
Expect to be like the param -
Extract to sharede examples -
Assess why is is possible to define a user with no attachment to project => check if there is a bug -
Check if deploy token can be used with the pypi create package service -
Return propoer error message when package is already taekn push same python pacakge over and over again -
Warnings
be rspec /Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/requests/api/pypi_packages_spec.rb
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
Run options: include {:focus=>true}
Screenshots or screen recordings
There are no significant frontend changes in this MR. In the settings section for the package protection rules, there is a new option for the package type PyPI
.
header | After |
---|---|
The most significant change is related to the backend when a pypi package is pushed to the package registry and the pypi package protection rule is evaluated.
How to set up and validate locally
- Enable feature flags via
rails c
Feature.enable(:packages_protected_packages)
Feature.enable(:packages_protected_packages_pypi)
- Open the rails console (
rails c
) and start playing around with the new model
Packages::Protection::Rule.create(
project: Project.find_by(name: "Flight"),
package_name_pattern: "protected-packages-examples-pypi-python-package",
package_type: :pypi,
minimum_access_level_for_push: :admin
)
- Create a dummy pypi python package
- Adjust the package name in
pyproject.toml
and set it to"protected-packages-examples-pypi-python-package"
<= this should match the given package_name_pattern in step 2 - Create or adjust file
.pypirc
in order to push the pypi package to your local GitLab registry, see https://docs.gitlab.com/ee/user/packages/pypi_repository/#publish-a-pypi-package the given package_name_pattern in step 3 - Build the pypi package and publish the pypi package
rm dist/* &&
python3 -m build &&
python3 -m twine upload --verbose --repository gitlab_gdk_test dist/*
- Pushing the pypi package should be blocked by the
Packages::Protection::Rule
created in step 3💥 - Now, change the package name in
pyproject.toml
and set it to"protected-packages-examples-pypi-python-package-other"
<= this will not match the given package_name_pattern in step 3 - Build the pypi package and publish the pypi package again
rm dist/* &&
python3 -m build &&
python3 -m twine upload --verbose --repository gitlab_gdk_test dist/*
- Pushing the pypi package should not be blocked by the
Packages::Protection::Rule
as the package name does not match👍
Related to #323971
Edited by Gerardo Navarro