Reject Incoming API Writes on During Final Import

Context

During the migration, we lock repositories in read-only mode as described in the Gradual Migration Plan on the rails side via refusing to issue API tokens requesting write scopes for that repository.

Problem

Since tokens are valid for some time, this locking is not absolute in call cases. The worst case for this would be locking a repository directly after issuing and API token with write scopes.

Currently, there's no mechanism to enforce read-only at the repository level on the container registry and the instance-wide read-only mode is accomplished by dynamically removing write request routes of the registry API, so that cannot be adapted for this purpose.

Proposal

Cancel Imports on Write

During the migration, all requests are routed before interacting with the API handlers. If we mark detect an incoming write for a repository being migrated, we can flag that import as canceled via the migration_status column and retry the import at a later time.

Reject Incoming API Writes on Import

During the migration, all requests are routed before interacting with the API handlers. If we mark detect an incoming write for a repository during final import, we can reject that write request to allow the final import to continue un interrupted.

There is a risk of repositories getting stuck in import_in_progress so rails should cancel the import via (DELETE)#526 (closed)) for very long-running final imports.