Archive endpoint returns 302→200 sign-in page for private repos instead of 401/403
## Summary
The repository archive endpoint (`/{user}/{project}/repository/archive.tar.gz?ref={tag}`) for **private** repositories returns HTTP 302 redirecting to `/users/sign_in`, which then returns HTTP 200 with the sign-in HTML page. This breaks automated tooling (notably npm/pacote) that expects either a valid tarball or a proper HTTP error (401/403).
## Steps to reproduce
1. Have a private repository on GitLab.com
2. Make an unauthenticated HTTP request to the archive endpoint:
```bash
curl -sI "https://gitlab.com/{namespace}/{project}/repository/archive.tar.gz?ref={tag}"
```
3. Observe HTTP 302 redirect to `/users/sign_in`
```
HTTP/2 302
location: https://gitlab.com/users/sign_in
```
4. Following the redirect returns HTTP 200 with HTML content
## Expected behavior
The archive endpoint should return **HTTP 401 or 403** for unauthenticated requests to private repositories, not a redirect to the sign-in page. This is consistent with how the API v4 endpoint behaves:
```bash
curl -sI "https://gitlab.com/api/v4/projects/{namespace}%2F{project}/repository/archive.tar.gz?sha={tag}"
# Returns: HTTP 404
```
## Actual behavior
- Archive endpoint: 302 to 200 (sign-in HTML page)
- API v4 endpoint: 404 (correct behavior)
## Impact
npm's package fetcher (pacote) uses `hosted-git-info` to generate tarball URLs for `gitlab:` shorthand dependencies. When the archive endpoint returns 200 with HTML instead of a proper error, npm treats it as a successful tarball download and fails with `TAR_BAD_ARCHIVE: Unrecognized archive format` instead of falling back to git clone.
This breaks `npm install` for any project that references private GitLab repos as git dependencies using the `gitlab:` shorthand syntax. It affects both CI/CD pipelines and local development.
Related npm issues:
- https://github.com/npm/cli/issues/3229 (open since 2021)
- https://github.com/npm/cli/issues/2741
- https://github.com/npm/pacote/issues/476
## Environment
- GitLab.com (SaaS)
- Observed starting around April 1-2, 2026
- Previously (March 31, 2026), the same CI pipelines with the same configuration succeeded
issue