Add protection to ContainerRepositoryTagType (!177039) · Merge requests · GitLab.org / GitLab

Adie (she/her) requested to merge 499870-507919-update-tag-type-to-include-protection-rule into master Jan 07, 2025

Overview

In this MR, we allow the fetching of protection of a specific tag via the ContainerRepositoryTagType in GraphQL.

Among the tag protection rules for the project, we match the maximum access levels from the rules whos tag_name_pattern matches the name of the ContainerRepository::Tag.

How to set up and validate locally

Prepare a project with several container registry tags on it.
Create several tag protection rules for the project. Create some rule that matches the registry tags and some don't.

project = Project.find(id)

# will not match a tag, unless that tag has the name `thiswillnotmatch`
project.container_registry_protection_tag_rules.create(tag_name_pattern: "thiswillnotmatch", minimum_access_level_for_push: "maintainer", minimum_access_level_for_delete: "maintainer")

# will always match a tag
project.container_registry_protection_tag_rules.create(tag_name_pattern: ".*", minimum_access_level_for_push: "maintainer", minimum_access_level_for_delete: "owner")

# another rule that matches the tag, update `name` to the tag name to make sure it matches
project.container_registry_protection_tag_rules.create(tag_name_pattern: "name", minimum_access_level_for_push: "owner", minimum_access_level_for_delete: "maintainer")

⛳ A. When the flag is enabled

Enable the container_registry_protected_tags feature flag:

Feature.enable(:container_registry_protected_tags, project)

Query the following in GraphQL. Replace container-repository-id with the ID of the container repository where the tags belong to:

query {
  containerRepository(id: "gid://gitlab/ContainerRepository/container-repository-id") {
    id
    tagsCount
    tags(first: 5) {
      nodes {
        protection {
          minimumAccessLevelForPush
          minimumAccessLevelForDelete
        }
      }
    }
  }
}

You should be able to see the protection rules that match the tag name.

{
  "data": {
    "containerRepository": {
      "id": "gid://gitlab/ContainerRepository/226",
      "tagsCount": 1,
      "tags": {
        "nodes": [
          {
            "name": "tag1",
            "protection": {
              {
                "minimumAccessLevelForPush": "OWNER",
                "minimumAccessLevelForDelete": "OWNER"
              }
            }
          }
        ]
      }
    }
  }
}

⛳ B. When the flag is disabled

Disable the container_registry_protected_tags feature flag:

Feature.disable(:container_registry_protected_tags, project)

Use the same query as in (2.) above where the flag is enabled.
It should return nil

{
  "data": {
    "containerRepository": {
      "id": "gid://gitlab/ContainerRepository/226",
      "tagsCount": 1,
      "tags": {
        "nodes": [
          {
            "name": "tag1",
            "protection": null
          }
        ]
      }
    }
  }
}

MR acceptance checklist

✔️ Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #499870

Edited Jan 20, 2025 by Adie (she/her)

Add protection to ContainerRepositoryTagType

Overview

How to set up and validate locally

⛳ A. When the flag is enabled

⛳ B. When the flag is disabled

MR acceptance checklist

Merge request reports