Skip to content

Dependency proxy can be accessed with PATs that don't have the scopes read_registry and write_registry.

GitLab customers with an active subscriptions can reach out to GitLab Support when encountering unexpected problems with this change.


Deprecation Summary

The Dependency Proxy currently does not enforce access token scope restrictions during authentication. Users can access the Dependency Proxy using personal access tokens (PAT) or group access tokens without the required read_registry and write_registry scopes. This behavior will be changed to enforce proper scope checking.

Documentation

  • Deprecation notice: #426887
  • Migration guidelines:

Product Usage

The current documentation incorrectly states that users need a personal access token with read_registry and write_registry scopes to authenticate with the Dependency Proxy. However, users can currently authenticate and use the Dependency Proxy without these scopes, as demonstrated by successful docker login and docker pull operations.

Breaking Change?

Yes - This deprecation contains a breaking change as it will affect existing workflows that use tokens without the required scopes.

Affected Customers

Who is affected by this deprecation:

  • GitLab.com
  • Self-managed
  • Dedicated

What pricing tiers are impacted:

  • GitLab Free
  • GitLab Premium
  • GitLab Ultimate

Deprecation Milestone

This deprecation will be announced in milestone: 17.9

Planned Removal Milestone

The feature / functionality will be removed in milestone: 18.0

Rollout Plan

DRI Engineers: @10io DRI Engineering Manager: @crystalpoole

  • Describe rollout plans on GitLab.com
  • Link to a feature flag rollout issue that covers:
    • Expected release date on GitLab.com and GitLab version
    • Rollout timelines
    • Creation of any clean-up issues

Migration Steps

Users need to:

  1. Create new access tokens with the required scopes (read_registry and write_registry)
  2. Update workflow variables and scripts with the new tokens
  3. Test their pipelines and workflows with the new tokens before the breaking change is implemented

Development Tasks

Impact Assessment

  • Severity: High
  • Scope: Group
  • Resolution role: Maintainer
  • Manual task required: Yes
  • Implementation window: 3 months

Labels

Edited by Radamanthus Batnag