Protected containers: Add REST API for container registry protection tag rules

Problem Statement

Users who need to automate container protection tag rule management are limited to the GraphQL API. Tools like Terraform, which don't natively support GraphQL, cannot manage these protection rules programmatically. This is inconsistent with:

1. Container repository protection rules - Have full REST API support at /registry/protection/repository/rules
2. Package protection rules - Have full REST API support at /packages/protection/rules

Proposal

Add REST API endpoints for container protection tag rules to provide feature parity with the existing GraphQL API and enable management through tools that don't support GraphQL (e.g., Terraform provider).

🛠️ with ❤️ at Siemens

Proposed Endpoints

• GET /api/v4/projects/:id/registry/protection/tag/rules - List all tag protection rules
• POST /api/v4/projects/:id/registry/protection/tag/rules - Create a new tag protection rule
• PATCH /api/v4/projects/:id/registry/protection/tag/rules/:protection_rule_id - Update a tag protection rule
• DELETE /api/v4/projects/:id/registry/protection/tag/rules/:protection_rule_id - Delete a tag protection rule

New Files to Create

• lib/api/project_container_registry_protection_tag_rules.rb - API endpoints (following pattern from lib/api/project_container_registry_protection_rules.rb)
• lib/api/entities/projects/container_registry/protection/tag_rule.rb - API entity

Parameters

Based on existing GraphQL mutations and model:

• tag_name_pattern (String, required for create) - Pattern for matching container image tags, supports wildcards
• minimum_access_level_for_push (String) - Minimum access level to push tags (maintainer, owner, admin)
• minimum_access_level_for_delete (String) - Minimum access level to delete tags (maintainer, owner, admin)

Existing Infrastructure to Reuse

Services:

• ContainerRegistry::Protection::CreateTagRuleService
• ContainerRegistry::Protection::UpdateTagRuleService
• ContainerRegistry::Protection::DeleteTagRuleService

Model: app/models/container_registry/protection/tag_rule.rb

Authorization: authorize! :admin_container_image, user_project

GraphQL implementations for reference:

• app/graphql/mutations/container_registry/protection/tag_rule/create.rb
• app/graphql/mutations/container_registry/protection/tag_rule/update.rb
• app/graphql/mutations/container_registry/protection/tag_rule/delete.rb

Implementation Plan

• Create API entity for tag rule
• Implement GET endpoint (list all rules)
• Implement POST endpoint (create rule)
• Implement PATCH endpoint (update rule)
• Implement DELETE endpoint (delete rule)
• Add API documentation

What does success look like, and how can we measure that?

User Impact:

• Users can manage container protection tag rules via REST API
• Terraform provider can integrate with this feature
• CLI tools can automate tag protection rule management

Technical Metrics:

• API endpoints return correct responses (200, 201, 204, 400, 401, 403, 404, 422)
• Tests cover all CRUD operations and error cases
• Documentation is complete and accurate
• Entity exposes all relevant fields (id, tag_name_pattern, minimum_access_level_for_push, minimum_access_level_for_delete)

Related Resources

Related issues:

• Container repository protection rules REST API - Similar implementation for repository rules

Reference implementations:

• Container repository protection rules REST API: MRs !155798 (merged), !157925 (merged), !158756 (merged), !159619 (merged)
• Package protection rules REST API: MRs !153436 (merged), !153571 (merged), !153577 (merged), !151741 (merged)

Documentation:

• Container repository protection rules API
• Epic: Container Registry Protection