Avoid the copy operation during Maven package uploads
What does this MR do and why?
Avoids the object-storage copy operation during Maven package uploads by writing files directly to their final storage path, mirroring the pattern already used for Generic Packages (!147454 (merged)) and the Terraform Module Registry. Gated behind a default-off flag for rollout and monitoring, per the epic's plan.
Also sets an explicit Content-Disposition header on Maven package downloads, for
parity with the fix for the equivalent Generic Packages issue. Maven's download path
already avoids that bug class for an unrelated reason (it forces a Workhorse-proxied
response for custom checksum headers rather than a redirect to a presigned
object-storage URL), but setting the header explicitly is defense-in-depth.
References
- #439809
- Epic: gitlab-org#12565
- Prior art: !147454 (merged) (Generic Packages)
- Related historical bug fixed for Generic Packages: #465102 (closed), #492354 (closed)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Make sure Object Storage is enabled in your GDK.
- Open the
tracetool in the MinIO web interface (or runmc admin trace -a gdklocal) and start tracing. - Push a Maven package file, for example via
mvn deploy:deploy-fileor:curl --header "PRIVATE-TOKEN: <PAT>" --upload-file ./dummy.jar \ "http://gdk.test:3000/api/v4/projects/<project_id>/packages/maven/com/example/my-app/1.0/my-app-1.0.jar" - In the trace, you should see
PutObject,CopyObjectandDeleteObject. - In the rails console, enable the flag:
Feature.enable(:skip_copy_operation_in_maven_packages_upload) - Push another Maven package file while watching the trace — now only
PutObjectruns. - Download the package back — it should work normally and include a
Content-Disposition: attachment; filename="..."header.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.