Protected packages: Push protection for deploy tokens [Follow-up]

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem to solve

Pushing packages to the GitLab package registry is usually done with a specific user, via an personal access token or a job token. But, it can also be done through a deploy token that is independent of a specific user.

When working on the EPIC Identify packages as protected to prevent accid... (&5574), we identified an unclear aspects regarding deploy tokens, see discussion.

The current concept of the protected packages includes push protection against certain user access level, e.g. developer, maintainer, owner, etc. This user access level is based on the user that is trying to push a protected package.

However, deploy token are independent of a user account and therefore not associated to a specific user. This raises the question how the push protection works for deploy tokens. Should deploy tokens be treated as developers or maintainers or etc?

Proposal

The new feature "Protected Packages" is intended to be implemented as close as possible to the existing feature "Protected Branch". Therefore, we want to replicate the behavior of deploy tokens in the context of protected branches also for protected packages.

DRAFT: In the context of protected packages, deploy tokens should be treated as developer. Therefore, when a certain package is (push) protected from the developer access level, then a deploy token that when

Intended users

Optional: Intended side effects

Checklist

  • Investigate how the deploy tokens behave for protected packages.
  • Discuss with GitLab team
  • Implementation
  • Add tests
Edited by 🤖 GitLab Bot 🤖