Protected packages: Push protection for deploy token
requested to merge gitlab-community/gitlab:323970-protected-packages-npm-push-protection-follow-up-block-package-published-with-deploy-token into master
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do and why?
Protected packages: Push protection for deploy token
- Ensure that a protected package cannot be published with a deploy token when there is a package protection rule that matches the package name and type
- We discussed the user expectation and concluded that deploy tokens should not be able to publish packages that are protected by a package protection rule, see #323970 (comment 1978981115)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
Screenshots or screen recordings
| Before | After |
|---|---|
| Deploy tokens can always push (publish) a protected package. | Deploy tokens cannot push (publish) a package when a package protection rule exists for this package (matching only package_name and package_type, and disregarding minimum_access_level_for_push) |
How to set up and validate locally
- Enable feature flag via
rails c
Feature.enable(:packages_protected_packages)- Create a new package protection rule through the frontend and use the following values: http://gdk.test:3000/flightjs/Flight/-/settings/packages_and_registries
- Package name pattern:
@flightjs/test-npm-package-* - Package type:
:npm - Minimum access level for push:
:maintainer
- Create a dummy project for npm package for testing publishing
# Go to a directory outside of the gitlab and gdk directory
mkdir test-npm-package && cd test-npm-package
npm init esm --yes- Adjust the package name in
package.jsonand set it to"@flightjs/test-npm-package-prod"<= this should match the given package_name_pattern in step 2 - Create or adjust file
.npmrcin order to push the npm package to the GitLab registry, see https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticating-via-the-npmrc - Create a deploy token, see https://docs.gitlab.com/ee/user/project/deploy_tokens/#create-a-deploy-token
- Publish npm test package using the newly created deploy token
NPM_TOKEN=<deploy_token> npm publish- The package should be protected and should not have been published
👍
💾 Database review
Related to #323970
Edited by David Fernandez