Add job and deploy token authentication to npm dist-tag routes.

Problem to solve

As discussed in #220985 (comment 420787332)

It looks like the npm dist tag routes simply don't support job tokens or deploy tokens (only the install and publish routes do).

This prevents you from being able to add tags using GitLab CI. Which is a major blocker for many in the Community.

Intended users

• Sasha (Software Developer)

User experience goal

Users of GitLab's NPM registry should be able to use npm (the command-line tool) exactly the same way as they do when interacting with packages on https://www.npmjs.com/.

Proposal

Add job token and deploy token auth to npm dist-tag routes.

Workaround available

A workaround has been identified here #258835 (comment 511212800)

A workaround, that worked for us was to use npm publish --tag directly without the explicit call to npm dist-tag.

Documentation

• Add CI examples to https://docs.gitlab.com/ee/user/packages/npm_registry/#npm-distribution-tags
• Remove note added in !43791 (merged)

What does success look like, and how can we measure that?

Users of the GitLab NPM registry can tag their dependencies using GItLab CI.

Metrics

• Measure npm dist-tag routes via snowplow, so that we can understand how often this route is used on GitLab.com.

Links / references

• #220985 (comment 420868893)
• https://docs.gitlab.com/ee/user/packages/npm_registry/#npm-distribution-tags