Protected packages
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, Self-managed
By default, any user with at least the Developer role can create, edit, and delete packages. Add a package protection rule to restrict which users can make changes to your packages.
When a package is protected, the default behavior enforces these restrictions on the package:
| Action | Who can do it |
|---|---|
| Protect a package | At least the Maintainer role. |
| Push a new package | At least the role set in Minimum access level for push. |
| Push a new package with a deploy token | Any valid deploy token, only if the pushed package is not matched by a protection rule. Protected packages cannot be pushed with a deploy token. |
Protect a package
Prerequisites:
- You must have at least the Maintainer role.
To protect a package:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > Packages and registries.
- Under Protected packages, select Add protection rule.
- Complete the fields:
- Name pattern is a package name pattern you want to protect. The pattern can include a wildcard (
*). - Package type is the type of package to protect.
- Minimum access level for push is the minimum role required to push a package matching the name pattern.
- Name pattern is a package name pattern you want to protect. The pattern can include a wildcard (
- Select Protect.
The package protection rule is created, and appears in the settings.
Protecting multiple packages
You can use a wildcard to protect multiple packages with the same package protection rule. For example, you can protect all the temporary packages built during a CI/CD pipeline.
The following table contains examples of package protection rules that match multiple packages:
| Package name pattern with wildcard | Matching packages |
|---|---|
@group/package-* |
@group/package-prod, @group/package-prod-sha123456789 |
@group/*package |
@group/package, @group/prod-package, @group/prod-sha123456789-package |
@group/*package* |
@group/package, @group/prod-sha123456789-package-v1 |
It’s possible to apply several protection rules to the same package. If at least one protection rule applies to the package, the package is protected.
Delete a package protection rule and unprotect a package
Prerequisites:
- You must have at least the Maintainer role.
To unprotect a package:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > Packages and registries.
- Under Protected packages, next to the protection rule you want to delete, select Delete ( ).
- On the confirmation dialog, select Delete.
The package protection rule is deleted, and does not appear in the settings.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support