Deploy token support for the Dependency Proxy

Context

You can use the Dependency Proxy to proxy and cache container images from Docker Hub to reduce your external dependencies, avoid Docker Hub rate limits, and speed up your builds.

When using the Dependency Proxy, you must authenticate with either your GitLab username/password, a personal access token, or using the pre-defined environment variables CI_DEPENDENCY_PROXY_USER and CI_DEPENDENCY_PROXY_PASSWORD.

Problem to solve

The problem is that you cannot authenticate using a Deploy token, which is a common workflow for many organizations as they can avoid using personal credentials in their builds.

Proposal

Add support for Group Deploy Tokens to the dependency proxy.

Further details

When it comes to deploy tokens, there are group and project-level tokens. Since the dependency proxy is at the group (or sub-group), you will need to use a group and not project deploy token.

Documentation

Update the dependencyu proxy authentication docs

Availability & Testing

• Confirm that group deploy tokens work at the group and sub-group level

What does success look like, and how can we measure that?

Measure the number of container image pulls using a deploy token vs. other credentials.