Deploy token support for the Composer package registry
🔎 What does this MR do and why?
Adds deploy token access to the Composer package registry.
All other package formats allow access with deploy tokens, so this change brings Composer in conformity with the standards for the package registry.
💾 Database
The GroupPackagesFinder is updated, but no queries in the finder are changed.
We add a conditional that changes the set of projects used in the Finder query. This is very similar to the logic used to find projects visible to a user in the Project model.
📹 Screenshots or screen recordings
Publishing/registering a package with a deploy token:
→ curl --data tag=v1.0.0 --header "Deploy-Token: <deploy_token>" "http://gdk.test:3001/api/v4/projects/87/packages/composer"
{"message":"201 Created"}Installing a package with a deploy token:
→ composer config gitlab-token.gdk.test:3001 <token-username> <deploy-token>
→ composer update
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
- Locking sabrams/composer-testasdfa (1.0.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
- Installing sabrams/composer-testasdfa (1.0.0): Extracting archive
Generating autoload files
💻 How to set up and validate locally
- Create a group and a project within that group
- Create a project deploy token (
Project -> Settings -> Repository) and/or a group deploy token (Group -> Settings -> Repository) to use for testing. - Follow the composer docs to publish and install a package. I've included details below specific to using Deploy Tokens.
Publish/register a package
-
In the project, commit a
composer.jsonfile with contents like:{ "name": "foo/composer-test", "type": "library", "license": "GPL-3.0-only", "version": "1.0.0" } -
Create a tag for
v1.0.0(you can use the command line and push the tag, or do this in the UI viaRepository -> Tags -
Register the package using the deploy token:
curl --data tag=v1.0.0 --header "Deploy-Token: <deploy_token>" "http://gdk.test:3001/api/v4/projects/<project_id>/packages/composer" -
You should receive a
201response. In the UI, navigate toPackages & Registries -> Package Registryto view your package.
Install a package
- Locally, create a directory and add a
composer.jsonfile in that directory replacing the<group_id>with your group ID:{ "name": "foo/install-test", "type": "library", "license": "GPL-3.0-only", "version": "0.0.1", "repositories": { "<group_id>": { "type": "composer", "url": "http://gdk.test:3001/api/v4/group/<group_id>/-/packages/composer/" } }, "config": { "gitlab-domains": ["gdk.test:3001"] }, "require": { "foo/composer-test": "1.0.0" } } - Create an
auth.jsonfile with your deploy token username and token:{ "gitlab-token": { "gdk.test:3001": { "username": "<deploy_token_username>", "token": "<deploy_token>" } } } - Run
composer updateto install the package. The command output should show a successful installation:... Lock file operations: 1 install, 0 updates, 0 removals - Locking foo/composer-test (1.0.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 1 install, 0 updates, 0 removals - Downloading foo/composer-test (1.0.0) - Installing foo/composer-test (1.0.0): Extracting archive ... - To re-run the installation (if testing multiple tokens), remove the
composer.lockfile andvendor/directory.
📐 MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related: #240897 (closed)