Add a group-level endpoint to the Go module proxy
Go uses a source-based dependency management system, whereas most other dependency management systems are artifact-based. This is to say, Go dependencies are ultimately fetched directly from their source VCS repository, but dependencies in other systems are artifacts that have been uploaded to a package repository. Another unique feature of the Go ecosystem is the name of a package (excluding stdlib) must be a valid URL, sans the scheme (e.g.
golang.org/x/text). Thus, Go modules are defined by the source repository and have unique names.
Problem to solve
A group-level Go proxy endpoint should be added to
ee/lib/api/go_proxy.rb, to allow all Go modules in a group to be fetched from a single endpoint. Currently, the Go module proxy (MVC) only has a project-level endpoint. Given how Go is configured, this requires an entry in
GOPROXY (an environment variable) for each project.
Additionally this would allow configuration of the Go module proxy on a per-group basis.
- Rachel (Release Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
ee/lib/api/go_proxy.rb currently exposes an API at
/projects/:id/packages/go/*module_name/@v/.... Another should be added at
Given that Go module names are always a URL, and given that the current implementation* only exposes modules that match the project they are contained in, namespace collisions are not a concern.
- #213761 would allow a project to host modules that use an external URL. It would also require validation that the URL directs Go to that project. This should prevent any collisions between external 'vanity URLs'.
Permissions and Security
The logic for resolving a Go module to a GitLab project is straightforward. From there, the existing validation that checks if the authenticated user is authorized to view the modules of the project should suffice.
Availability & Testing
What does success look like, and how can we measure that?
There is a group-level endpoint that conforms to the Go module proxy specification (see
go help goproxy) that exposes the Go modules of projects within the group.
What is the type of buyer?
- Individual Contributor
Is this a cross-stage feature?