Authenticate with CI_JOB_TOKEN to NPM registry
Problem to solve
The GitLab NPM Registry allows users to publish and pull NPM packages right alongside their source code and CI pipelines.
Since NPM requires authentication with OAuth, we do not currently allow users to authenticate with the predefined environment variable
CI_JOB_TOKEN. This is not a scalable solution for our enterprise customers as it prevents users from using two-factor authentication for their GitLab accounts.
- Since the feature is enabled at the instance level, the developer can easily enable the feature at the project level by navigating to Settings->General->Permissions and enabling 'Packages'
- They click on 'Packages' and see the empty state page that directs them to the NPM documentation
- They see an updated version of this section of documentation that documents how to authenticate to the NPM registry from GitLab CI using
- The user copies the example
gitlab-ci.ymlfrom the documentation and creates a pipeline to test publishing their NPM packages.
gitlab-ci.ymltemplate allows the user to authenticate and publish a package from GitLab CI.
- The user celebrates and if they've been using OAuth they go and enable 2FA for their GitLab account.
- They begin using the NPM Registry and GitLab CI to publish and pull all of their packages.
Allow users to authenticate to the GitLab NPM Registry from GitLab CI using
Permissions and Security
From CI build permissions model It is important to note that we have a few types of users:
- Administrators: CI jobs created by Administrators will not have access to all GitLab projects, but only to projects and container images of projects that the administrator is a member of. That means that if a project is either public or internal users have access anyway, but if a project is private, the Administrator will have to be a member of it in order to have access to it via another project’s job.
- External users: CI jobs created by external users will have access only to projects to which user has at least reporter access. This rules out accessing all internal projects by default.
What does success look like, and how can we measure that?
Success looks like we allow users to use the CI token for authentication with the NPM Registry, so that they can seamlessly use GitLab CI to build and publish npm packages.
What is the type of buyer?
This feature will be focused on Director and Executives, as it is a Premium/Silver and Ultimate/Gold feature. https://about.gitlab.com/handbook/ceo/pricing/#four-tiers