GitLab Next

Problem to solve

The GitLab NPM Registry allows users to publish and pull NPM packages right alongside their source code and CI pipelines.

Since NPM requires authentication with OAuth, we do not currently allow users to authenticate with the predefined environment variable CI_JOB_TOKEN. This is not a scalable solution for our enterprise customers as it prevents users from using two-factor authentication for their GitLab accounts.

Intended users

• Software Developer
• DevOps Engineer

Further details

Background Details

With milestone 12.2, we extend the Personal Access Token to be OAuth2 compatible and allow for authentication with the PAT. This issue will add support for CI_JOB_TOKEN.

User flow

1. A Javascript (node.js) developer at a Premium customer wants to start using GitLab CI to publish NPM packages.
2. Since the feature is enabled at the instance level, the developer can easily enable the feature at the project level by navigating to Settings->General->Permissions and enabling 'Packages'
3. They click on 'Packages' and see the empty state page that directs them to the NPM documentation
4. They see an updated version of this section of documentation that documents how to authenticate to the NPM registry from GitLab CI using CI_JOB_TOKEN.
5. The user copies the example gitlab-ci.yml from the documentation and creates a pipeline to test publishing their NPM packages.
6. The gitlab-ci.yml template allows the user to authenticate and publish a package from GitLab CI.
7. The user celebrates and if they've been using OAuth they go and enable 2FA for their GitLab account.
8. They begin using the NPM Registry and GitLab CI to publish and pull all of their packages.

Proposal

Allow users to authenticate to the GitLab NPM Registry from GitLab CI using CI_JOB_TOKEN.

Permissions and Security

From CI build permissions model It is important to note that we have a few types of users:

• Administrators: CI jobs created by Administrators will not have access to all GitLab projects, but only to projects and container images of projects that the administrator is a member of. That means that if a project is either public or internal users have access anyway, but if a project is private, the Administrator will have to be a member of it in order to have access to it via another project’s job.
• External users: CI jobs created by external users will have access only to projects to which user has at least reporter access. This rules out accessing all internal projects by default.

Documentation

• NPM Registry

What does success look like, and how can we measure that?

Success looks like we allow users to use the CI token for authentication with the NPM Registry, so that they can seamlessly use GitLab CI to build and publish npm packages.

What is the type of buyer?

This feature will be focused on Director and Executives, as it is a Premium/Silver and Ultimate/Gold feature. https://about.gitlab.com/handbook/ceo/pricing/#four-tiers

Links / references

• Discussion about unifying tokens and why it's hard
• Discussion about personal access tokens
• CI Permissions Model