Protected packages API
Tier: Free, Premium, Ultimate
Offering: Self-managed
Status: Experiment
History
-
Introduced in GitLab 17.1 with a flag named
packages_protected_packages. Disabled by default.
The availability of this feature is controlled by a feature flag.
For more information, see the history.
This feature is available for testing, but not ready for production use.
This API manages the protection rules for packages. This feature is an experiment.
List package protection rules
Gets a list of package protection rules from a project.
GET /api/v4/projects/:id/packages/protection/rules
Supported attributes:
| Attribute | Type | Required | Description |
|---|---|---|---|
id
| integer/string | Yes | ID or URL-encoded path of the project owned by the authenticated user. |
If successful, returns 200 and a list of package protection rules.
Can return the following status codes:
-
200 OK: A list of package protection rules. -
401 Unauthorized: The access token is invalid. -
403 Forbidden: The user does not have permission to list package protection rules for this project. -
404 Not Found: The project was not found.
Example request:
curl --header "PRIVATE-TOKEN: <your_access_token>" \
--url "https://gitlab.example.com/api/v4/projects/7/packages/protection/rules"
Example response:
[
{
"id": 1,
"project_id": 7,
"package_name_pattern": "@flightjs/flight-package-0",
"package_type": "npm",
"minimum_access_level_for_push": "maintainer"
},
{
"id": 2,
"project_id": 7,
"package_name_pattern": "@flightjs/flight-package-1",
"package_type": "npm",
"minimum_access_level_for_push": "maintainer"
}
]
Create a package protection rule
Create a package protection rule for a project.
POST /api/v4/projects/:id/packages/protection/rules
Supported attributes:
| Attribute | Type | Required | Description |
|---|---|---|---|
id
| integer/string | Yes | ID or URL-encoded path of the project owned by the authenticated user. |
package_name_pattern
| string | Yes | Package name protected by the protection rule. For example @my-scope/my-package-*. Wildcard character * allowed.
|
package_type
| string | Yes | Package type protected by the protection rule. For example npm.
|
minimum_access_level_for_push
| string | Yes | Minimum GitLab access level able to push a package. For example developer, maintainer, owner.
|
If successful, returns 201 and the created package protection rule.
Can return the following status codes:
-
201 Created: The package protection rule was created successfully. -
400 Bad Request: The package protection rule is invalid. -
401 Unauthorized: The access token is invalid. -
403 Forbidden: The user does not have permission to create a package protection rule. -
404 Not Found: The project was not found. -
422 Unprocessable Entity: The package protection rule could not be created, for example, because thepackage_name_patternis already taken.
Example request:
curl --request POST \
--header "PRIVATE-TOKEN: <your_access_token>" \
--header "Content-Type: application/json" \
--url "https://gitlab.example.com/api/v4/projects/7/packages/protection/rules" \
--data '{
"package_name_pattern": "package-name-pattern-*",
"package_type": "npm",
"minimum_access_level_for_push": "maintainer"
}'
Update a package protection rule
Update a package protection rule for a project.
PATCH /api/v4/projects/:id/packages/protection/rules/:package_protection_rule_id
Supported attributes:
| Attribute | Type | Required | Description |
|---|---|---|---|
id
| integer/string | Yes | ID or URL-encoded path of the project owned by the authenticated user. |
package_protection_rule_id
| integer | Yes | ID of the package protection rule to be updated. |
package_name_pattern
| string | No | Package name protected by the protection rule. For example @my-scope/my-package-*. Wildcard character * allowed.
|
package_type
| string | No | Package type protected by the protection rule. For example npm.
|
minimum_access_level_for_push
| string | No | Minimum GitLab access level able to push a package. For example developer, maintainer, owner.
|
If successful, returns 200 and the updated package protection rule.
Can return the following status codes:
-
200 OK: The package protection rule was patched successfully. -
400 Bad Request: The patch is invalid. -
401 Unauthorized: The access token is invalid. -
403 Forbidden: The user does not have permission to patch a package protection rule. -
404 Not Found: The project was not found. -
422 Unprocessable Entity: The package protection rule could not be patched, for example, because thepackage_name_patternis already taken.
Example request:
curl --request PATCH \
--header "PRIVATE-TOKEN: <your_access_token>" \
--header "Content-Type: application/json" \
--url "https://gitlab.example.com/api/v4/projects/7/packages/protection/rules/32" \
--data '{
"package_name_pattern": "new-package-name-pattern-*"
}'
Delete a package protection rule
Deletes a package protection rule from a project.
DELETE /api/v4/projects/:id/packages/protection/rules/:package_protection_rule_id
Supported attributes:
| Attribute | Type | Required | Description |
|---|---|---|---|
id
| integer/string | Yes | ID or URL-encoded path of the project owned by the authenticated user. |
package_protection_rule_id
| integer | Yes | ID of the package protection rule to be deleted. |
If successful, returns 204 No Content.
Can return the following status codes:
-
204 No Content: The package protection rule was deleted successfully. -
400 Bad Request: Theidor thepackage_protection_rule_idare missing or are invalid. -
401 Unauthorized: The access token is invalid. -
403 Forbidden: The user does not have permission to delete the package protection rule. -
404 Not Found: The project or the package protection rule was not found.
Example request:
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" \
--url "https://gitlab.example.com/api/v4/projects/7/packages/protection/rules/32"