Allow anonymous read-only access to a public project's generic packages

Release notes

Problem to solve

I am using the generic package registry on a self-hosted GitLab instance to publish release packages of a public project. The links to these packages are published on the release page. As a template we used this example.

Currently when downloading the packages over the release page via the API V4 URL the browser asks for a password. Using the packages registry's page works anonymously.

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Sasha (Software Developer)
• Rachel (Release Manager)
• Simone (Software Engineer in Test)

User experience goal

Community members should be able to download generic packages over the release page without having to authenticate.

Proposal

• If a GitLab project is publicly visible ** Authentication should (continue to) be required to upload generic packages ** Anonymous users should be able to download generic packages using the API-V4 endpoint

Further details

Permissions and Security

Documentation

• After implementing update prerequisites on https://docs.gitlab.com/ee/user/packages/generic_packages/#download-package-file, as no authentification is needed

Availability & Testing

Available Tier

Since the basic features are available in GitLab Core this feature should also be available in Core.

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

#294482 (closed)