API endpoint to list (tag) attachments
Description
I have this binary built on the excellent GitLab.com CI runners. I want to make it possible for clients to automatically self-upgrade that binary. For this to be somewhat secure, I wish to deploy some cryptographic signatures (based on sigtool, itself based on signify). For this to make sense at all, the private keys need to be stored somewhere private - ideally, I would keep the keys on my own computer or offline, so they can't be reproduced trivially by any attacker with access to the repository.
Ideally, I would upload the signature along with the other artifacts, which would work assuming that my builds are reproducible (which they should be). But as far as I know, it's not possible to add new files to the artifacts once a build job is complete. I feel my use case is narrow enough that it doesn't warrant adding that feature which would muddy the waters as to what artifacts are for exactly.
So my idea is to upload the signature files on the tags release notes, possibly along with the binaries if they can't be built reproducibly.
Proposal
Right now there's a list tags endpoint in the API that almost does what I want. It lists the tags, the release id, notes, commits and so on. While I could parse the markdown to find links to [whatever](/uploads/checksum/file.sig)
, that seems rather clunky and error-prone. What if the link syntax changes slightly? What if the link to the file gets removed but the file is still there? (Is that even possible?) What if for some reason I actually writes [whatewhatever](/uploads/checksum/file.sig)
(with the backquotes) in release notes? Then I need to implement a full markdown parser to distinguish this...
It would seem to me much cleaner to be able to list the files attached to tags. The same possibly applies to issues, which can also have attachment but do not show up in the API either. Issue comments do have attachments, however, which seems to be a weird inconsistency that could be more broadly resolved as well. I guess the same applies to milestones and other objects as well.
Links / references
- issues API (no attachments)
- notes API (attachments)
- MR API (no attachments)
- tags API (no attachments)
- milestone API (no attachments)
- builds API (lacking the upload functionality)
- example API response for my project (notice the release notes with links that do not show up as distinct attachment listings(
- details of the 0.9 tag (no attachment there either)