CI job tokens can't register composer packages

🔥 Problem

The composer package registry has basically two operations:

1. Registering a branch as a package (similar to "publishing" a package). This is a custom $ curl command.
2. Pulling a package. (Can be done at multiple levels). This is $ composer commands.

Add ci job token support to the Composer packag... (!127300 - merged) changed things on how to authenticate with ci job tokens, so that $ composer commands can be used to configure the CI job token as credentials.

The issue is that the change impacted (1.). As a side effect, the ci job token authentication for (1.) has changed from custom http headers to basic auth.

This is clearly a breaking change.

🚒 Solution

Revert changes on the endpoint for (1.).

🔮 Possible workaround

Since the authentication changed to basic auth, we can use basic auth to interact with (1.).

From:

'curl --header "Job-Token: $CI_JOB_TOKEN" --data tag=<tag> "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'

to:

'curl -u "gitlab-ci-token:$CI_JOB_TOKEN" "Job-Token: $CI_JOB_TOKEN" --data tag=<tag> "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'

⚠ ⚠ This workaround will not work when the MR reverting the changes on the register endpoint will be deployed.

🔧 A different and more stable workaround

Another workaround was found (credits to @frank.fleige.grz): switch to a deploy token. Deploy tokens still work with custom headers and will still work once the revert MR lands on gitlab.com. See https://docs.gitlab.com/ee/user/packages/composer_repository/#publish-a-composer-package-by-using-the-api section To publish the package with a deploy token:.