Use the GitLab API to verify images hosted in the GitLab Container Registry
Problem to solve
The GitLab Container Registry allows users to build, publish and share Docker images right alongside their source code and pipelines. They can view these images in the GitLab application by navigating to their group or projects Packages
--> Container Registry
page.
We know from a recent round of user research, that the most common reasons users navigate to this portion of the user interface, are to either verify an image was built properly or to troubleshoot when something has gone wrong. We learned that it is important for organizations to be able to verify images that have been confirmed to have been built properly, passed a series of tests or even if an individual approved the image for use.
The problem is that we do not currently give users a way of identifying these images, and aside from image name, no way to visually represent this within the application.
Intended users
- Rachel (Release Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
- #35922 proposes adding a UI element to visually represent verified packages/images.
Proposal
Add a new series of API endpoints to the Container Registry API, that will allow users to list, verify and unverify Docker images hosted in the GitLab Package Registry.
- Only allow a single tag of an image to be verified at any one time
- If a new tag of an image is verified, it will remove the verification from the prior version
- Don't track history but store who performed the last action
List verified images
GET: projects/{:project_id}/packages/{:image_id}/verify
Add a verified label to an image
POST
: projects/{:project_id}/packages/{:image_id}/verify
Delete a verified label from an image
DELETE
: projects/{:project_id}/packages/{:image_id}/verify
Permissions and Security
- Developers and above can utilize the API, similar to the rest of the Container Registry API.
Documentation
Availability & Testing
What does success look like, and how can we measure that?
- Success looks like users have a programmatic way of verifying, viewing and removing image verifications.
Metrics
- Track usage of all of the new API endpoints
- Measure number of issues/upvotes to be able to update verified labels via the UI
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.