Protected Maven packages
Description
This issue proposes adding protection rules for Maven packages in the GitLab Package Registry to prevent unauthorized users from pushing new versions of critical packages.
Problem to solve
In Maven-based projects, certain packages serve as foundational components across multiple projects or teams. Currently, there's no way to restrict who can push new versions of these packages, creating risk for accidental overwrites or unauthorized modifications. This can lead to build failures, compatibility issues, and disruptions in development workflows.
Intended users
- Java developers
- DevOps engineers
- Release managers
- Package maintainers
User experience goal
Users with appropriate permissions should be able to define protection rules that restrict which users or roles can push new versions of specific Maven packages. This ensures that only authorized team members can modify critical dependencies.
Proposal
Add functionality to create protection rules for Maven packages:
- Allow users to specify patterns for protected Maven packages (e.g.,
com.example.*,com.example.core:*, etc.) - Define which users or roles can push new versions of packages matching these patterns
- Display clear error messages when unauthorized users attempt to push protected packages
- Show visual indicators for protected packages in the UI
Technical implementation considerations
- Leverage existing package protection rule architecture used for PyPI packages
- Implement Maven-specific package name pattern matching
- Add appropriate permission checks in the Maven package upload API endpoints
- Consider CI/CD integration to show clear error messages when protection rules block a package upload
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.