Give the job token access to the group level Packages API

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

🔥 Problem

In #292608 (closed), we opened the package registry packages API to the job token authentication so that the job token can be used on that API. At that time, the change was scoped to the project level endpoints only.

The API has also some endpoints for the group level. We could allow the job token authentication on those too.

The issue we encountered is that group level endpoints have a guard to not use job token authentication. This is before my time but I think that it is to not allow job tokens to access resources outside of the project running the job. This can be even enforced by users.

🚒 Solution

• Be clear on which packages are accessible when a job token access a group level API endpoint.
• Add the job authentication token for group level packages API endpoints.