Publish Releases without giving access to source code
Problem to solve
It's not uncommon for projects to be closed source (no public access to the source code) but publish some kind of compiled asset to the public (e.g. an
.exe or a
At the moment, GitLab does not support this use case. Current options are:
Private projects, which requires that users who need to access the release assets be explicitly granted Guest permissions (which has its own issues: #213016)
Public projects, which gives everyone full access to the source code
Public projects with the Repository visibility set to "Only Project Members":
... which also makes the Releases tab/page visible only to project members.
Mostly Rachel (Release Manager).
One option might be to add a new permission option under Settings > General > Visibility, project features, permissions to control the visibility of Releases:
One sticky detail that should probably be solved before this feature is delivered is how to reference and display Releases without exposing any tag data to users who shouldn't have access to repository information.
This issue is described in detail here: #213016
Permissions and Security
As mentioned above, it's important for projects that do not make the source code available to the public that we don't publish any tag or commit info through the Releases page.
Yes, this feature will require updates to our documentation.
What is the type of buyer?
Up for discussion. Most of our Release functionality is Core at the moment, but perhaps this functionality is specialized enough to warrant being restricted to a higher tier.
Links / references
Some related discussions: