Maven package upload working with a free tier account
Summary
On GitLab.com, I have a free tier account. I am able to push Maven packages using a CI build.
This is not expected considering the documentation: https://about.gitlab.com/pricing/self-managed/feature-comparison/
Steps to reproduce
- Create a free tier account
- Create a public project
- Upload a Maven package following https://docs.gitlab.com/ee/user/packages/maven_repository/
Example Project
https://gitlab.com/10io/maven-dependency/-/packages
CI job: https://gitlab.com/10io/maven-dependency/-/jobs/344556421
What is the current bug behavior?
I was able to push a Maven package using a CI job
What is the expected correct behavior?
mvn deploy
executed by the CI job should be rejected.
Relevant logs and/or screenshots
Uploading: https://gitlab.com/api/v4/projects/15187476/packages/maven/com/example/dep/simple-maven-dep/1.0-SNAPSHOT/simple-maven-dep-1.0-20191107.141022-1.jar
2/3 KB
3/3 KB
Uploaded: https://gitlab.com/api/v4/projects/15187476/packages/maven/com/example/dep/simple-maven-dep/1.0-SNAPSHOT/simple-maven-dep-1.0-20191107.141022-1.jar (3 KB at 1.1 KB/sec)
Output of checks
This bug happens on GitLab.com
Possible fixes
Prevent the maven API to be used with free tier accounts or update the documentation.
Note that if free tier accounts can use the package features, this has several implications:
- code organisation.
- naming enforcements during group/project path updates or transfers.
Other considerations
This could also happen for NPM packages.