Protected Composer dependencies

Problem to solve

You need a way to protect your Composer dependencies that are tied to a given release. You already have protections in place for branches, tags, and environments. You need the same thing for Composer.

Proposal

As part of the epic &5574, add support for protecting Composer packages. By default, a protected package will do these things:

• It prevents its creation, if not already created, from everybody except users with Maintainer permission.
• It prevents pushes from everybody except users with Allowed permission.
• It prevents anyone from force pushing to the package.
• It prevents anyone from deleting the package.

Permissions

• GitLab administrators are allowed to push to the protected branches.
• The default branch protection level is set in the Admin Area.