Protected packages: Allow standalone * wildcard for PyPI package protection rules

Proposal

Currently, PyPI package protection rules require a valid package name structure with optional wildcards (e.g., @scope/package-*) and do not allow a standalone * pattern to match all packages. This is inconsistent with protected tags and branches, which support * to match everything.

Related to Siemens Code issue #3497.

Problem Statement

Users managing projects that deploy multiple PyPI packages cannot create a single protection rule to cover all packages using a wildcard * pattern. Instead, they must create multiple rules with specific package name patterns. This differs from tag and branch protection, where * is supported to match everything.

The current validation regex in lib/gitlab/regex/packages.rb:66 requires at least one structural character ([\w\-\.]+), preventing a standalone * from being accepted.

Proposed Solution

Relax the PyPI package name pattern validation regex to allow a standalone * wildcard pattern. This can be achieved by:

1. Adding special case handling for * pattern before regex validation, OR
2. Modifying the regex to make the first structural group optional

This change will align PyPI package protection behavior with tag/branch protection rules, allowing users to easily protect all packages in a project with a single rule.

Technical Implementation Details

Files to modify:

• lib/gitlab/regex/packages/protection/rules.rb:12-14 - PyPI protection regex definition
• lib/gitlab/regex/packages.rb:60-74 - Base package_name_regex implementation (line 66 requires change)
• app/models/packages/protection/rule.rb:22-27 - Validation logic (consider special case)

Testing:

• spec/lib/gitlab/regex/packages/protection/rules_spec.rb:26-42 - Add test case for standalone * pattern
• spec/models/packages/protection/rule_spec.rb - Add validation test for * pattern

Matching logic (no change needed):

• SQL ILIKE matching with glob conversion already handles * via Gitlab::SQL::Glob.to_like()

Success Criteria

• A PyPI package protection rule with pattern * passes validation
• The * pattern correctly matches all PyPI package names when applied
• Tests demonstrate standalone * works for PyPI (similar to tag/branch protection)
• No regression in existing wildcard patterns (e.g., @scope/package-*)

What does success look like, and how can we measure that?

User Impact:

• Users can create a single protection rule covering all PyPI packages in a project
• Consistent wildcard behavior across package, tag, and branch protection

Technical Validation:

• New test passes for standalone * pattern
• All existing package protection tests continue to pass

Related Resources

• Package Protection Rules Regex
• Glob to SQL Conversion
• Research document: .claude/thoughts/shared/research/2025-10-01-pypi-wildcard-package-protection.md