Draft: Packages: add Pub registry support

What does this MR do and why?

Packages: add Pub registry support

Adds project-scoped Pub (Dart/Flutter) registry endpoints following the hosted repository spec v2, behind the package_registry_pub_support feature flag.

Stores extracted pubspec.yaml metadata (JSONB) and introduces a pub_max_file_size plan limit.

References

• Feature issue: #287943
• Spec: https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md
• Docs added/updated:
  • API: doc/api/packages/pub.md
  • User docs: doc/user/packages/pub_registry/_index.md

Screenshots or screen recordings

N/A (backend/API-only change)

Before	After

Database review

This MR introduces Pub-specific package querying via model scopes (used by the Pub API) and stores Pub metadata.

Primary query paths to review

• Listing package versions (Pub API): Packages::Pub::Package.find_in_project(...).with_pub_preloads.order_by_version_desc
• Publishing (create service): Packages::Pub::CreatePackageService

Full SQL and EXPLAIN

Captured locally via bundle exec rails runner using project_id = 1 and package_name = 'example'.

SELECT "packages_packages".*
FROM "packages_packages"
WHERE "packages_packages"."package_type" = 16
  AND "packages_packages"."project_id" = 1
  AND "packages_packages"."name" = 'example'
ORDER BY "packages_packages"."version" DESC

Index Scan Backward using idx_packages_packages_on_project_id_name_version_package_type on public.packages_packages  (cost=0.15..8.17 rows=1 width=148) (actual time=0.032..0.032 rows=0 loops=1)
  Output: id, project_id, created_at, updated_at, name, version, package_type, creator_id, status, last_downloaded_at, status_message
  Index Cond: ((packages_packages.project_id = 1) AND ((packages_packages.name)::text = 'example'::text) AND (packages_packages.package_type = 16))
  Buffers: shared hit=5
Planning:
  Buffers: shared hit=645 read=56
Planning Time: 21.679 ms
Execution Time: 0.056 ms

How to set up and validate locally

1. Ensure the feature flag file exists (default disabled):

   • config/feature_flags/wip/package_registry_pub_support.yml

2. Enable the feature flag:

   Feature.enable(:package_registry_pub_support)

3. (Optional) Set a plan limit for upload size:

   • Update PlanLimits#pub_max_file_size for your test namespace/plan (or use defaults).

4. Run the request spec:

   bundle exec rspec spec/requests/api/pub_project_packages_spec.rb

5. Manual smoke test with dart pub:

   • Configure the hosted URL for a project:

     dart pub token add https://<gitlab-host>/api/v4/projects/<project_id>/packages/pub --env-var GITLAB_TOKEN

   • Add a dependency_overrides entry in a sample Dart project pointing to the hosted URL (per Pub hosted-repo workflow), then:

     dart pub get

   • Publish a package (requires auth with write_package_registry / api):

     dart pub publish

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

• Database review section includes full SQL + EXPLAIN output
• Docs reviewed/ready (TW review recommended)