Enforce separation of scopes between Container Registry and Dependency Proxy

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

🔥 Problem

In Add a dependency proxy scope for GitLab tokens (#336800 - closed), we introduced read_virtual_registry and write_virtual_registry as an alternative set of scopes that PATs or deploy tokens can have to access the dependency proxy for containers.

In other words:

• deploy tokens: accept these that have (read_registry and write_registry) or (read_virtual_registry and write_virtual_registry).
• PATs: accept these that have (read_registry and write_registry) or (read_virtual_registry and write_virtual_registry).

This issue is to track the work on not accepting read_registry and write_registry anymore. Thus, we completely separate the container registry and the dependency proxy related scopes.

🚒 Solution

For the dependency proxy access, only accept the read_virtual_registry and write_virtual_registry scopes.

This is a breaking change for 19.0. Use a feature flag.