Use Deploy tokens to grant access to the Composer registry (#240897) · Issues · GitLab.org / GitLab

Use Deploy tokens to grant access to the Composer registry

Summary

Group deploy tokens with read_package_registry scope do not grant access to the Composer Package registry.
GitLab responds with a 404 instead.

Steps to reproduce

Create a group
Add a project within the group and deploy a composer package to its registry
Create a deploy token to the group with read_package_registry scope
Use the deploy token to access the registry at /api/v4/group/<group_id>/-/packages/composer/packages.json

What is the current bug behavior?

You cannot access the packages.json. It fails with a 404 error – maybe related to #232636 (closed).
The token needs api_read access which cannot be granted.

What is the expected correct behavior?

We expect to see the packages.json of the group.

Possible fixes

Either deploy tokens need the api_read scope or the Composer Package Registry should be accessible if the read_package_registry scope was granted.

Edited Aug 31, 2020 by Tim Rizzi