Skip to content
GitLab
Next
Closed
Issue created by Tim Rizzi@trizziDeveloper6 of 6 checklist items completed6/6 checklist items

Breaking change: Update API permissions for Package settings to Maintainer/Owner

Context

The GitLab Package stage offers a Package Registry, Container Registry, and Dependency Proxy to help you manage all of your dependencies using GitLab. Each of these product categories has a variety of settings that can be adjusted using the API. Currently these settings require Developer+ permissions.

Problem to solve

Some of these settings like cleanup policies will permanently delete dependencies, which is quite a destructive action. After doing competitive research, most other companies limit these settings to Maintainer/Owner users.

Proposal

Update the permissions level of the GitLab API to require Maintainer/Owner level permissions to CRUD any Package stage-related settings.

Settings

  1. Mutation.updateNamespacePackageSettings
  2. PackageSettings
  3. DependencyProxySetting
  4. DependencyProxyImageTtlGroupPolicy
  5. Mutation.updateDependencyProxySettings
  6. ContainerExpirationPolicy

Validation notes

When working on the Package Settings, it is crucial to validate all the related security issues get fixed. See https://gitlab.com/gitlab-org/gitlab/-/issues/322055#note_862775425

Edited by Steve Abrams