Group-level deploy tokens fail on maven group endpoint
Summary
Using a group-level deploy token to try and interact with the group-level Maven registry will result in a 404. Using the same token on the project level registry does not result in a 404 and works as expected.
Steps to reproduce
-
Ensure you have a group with a project that contains maven packages
-
Create a group-level deploy token with the
read_registry
scope -
Attempt to interact with the Maven registry using the deploy token as the authentication method. An example curl request can be seen below:
curl -H "Deploy-Token: <token>" https://gitlab.com/api/v4/groups/<group_id>/-/packages/maven/org/springframework/gs-maven/0.4-SNAPSHOT/gs-maven-0.4-20200811.144157-1.pom
The above request is specific to the group and package I used for testing, so be sure to update that to fit your specific group/package. This could also be tested using the available package as a dependency in an alternate maven project.
What is the current bug behavior?
Using the group-level deploy token results in a 404 when attempting to interact with the group-level package registry. Switching the same request to use a Personal Access Token instead works as intended.
What is the expected correct behavior?
Group-level deploy token with properly scoped permissions should successfully interact with the group-level package registry.
Output of checks
This bug happens on GitLab.com.
Workaround
Users can work around the issue by using a Personal Access Token or by using project-level registry endpoints.