ContextQMD
Back to Gitlabhq

Protected packages

doc/user/packages/package_registry/package_protection_rules.md

18.11.27.4 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

  • Introduced in GitLab 16.5 with a flag named packages_protected_packages. Disabled by default. This feature is an experiment.
  • The protection rule setting Push protected up to access level renamed to Minimum access level for push in GitLab 17.1.
  • Generally available in GitLab 17.6. Feature flag packages_protected_packages removed.
  • Conan protected packages introduced in GitLab 17.6 with a flag named packages_protected_packages_conan. Disabled by default. This feature is an experiment.
  • Maven protected packages introduced in GitLab 17.9 with a flag named packages_protected_packages_maven. Disabled by default. This feature is an experiment.
  • Introduced in GitLab 17.10 with a flag named packages_protected_packages_delete. Disabled by default. This feature is an experiment.
  • Maven protected packages became generally available in GitLab 17.11. Feature flag packages_protected_packages_maven removed.
  • Conan protected packages became generally available in GitLab 17.11. Feature flag packages_protected_packages_conan removed.
  • NuGet protected packages introduced in GitLab 18.0 with a flag named packages_protected_packages_nuget. Disabled by default. This feature is an experiment.
  • Protected Helm charts introduced in GitLab 18.1 with a flag named packages_protected_packages_helm. Disabled by default. This feature is an experiment.
  • Generic protected packages introduced in GitLab 18.1 with a flag named packages_protected_packages_generic. Disabled by default. This feature is an experiment.
  • Generic protected packages became generally available in GitLab 18.2. Feature flag packages_protected_packages_generic removed.
  • NuGet protected packages became generally available in GitLab 18.2. Feature flag packages_protected_packages_nuget removed.
  • Helm protected packages became generally available in GitLab 18.3. Feature flag packages_protected_packages_helm removed.

{{< /history >}}

By default, any user with the Developer, Maintainer, or Owner role can create, edit, and delete packages. Add a package protection rule to restrict which users can make changes to your packages.

GitLab supports package protection for npm, PyPI, Maven, and Conan packages, but epic 5574 proposes to add additional features and package formats.

When a package is protected, the default behavior enforces these restrictions on the package:

ActionMinimum role or token
Protect a packageThe Maintainer or Owner role.
Push a new packageAt least the role set in Minimum access level for push.
Push a new package with a deploy tokenAny valid deploy token, only if the pushed package is not matched by a protection rule. Protected packages cannot be pushed with a deploy token.
Delete a packageAt least the role set in Minimum access level for delete.

Protect a package

{{< history >}}

{{< /history >}}

Prerequisites:

  • You must have the Maintainer or Owner role.

To protect a package:

  1. In the top bar, select Search or go to and find your project.
  2. Select Settings > Packages and registries.
  3. Expand Package registry.
  4. Under Protected packages, select Add protection rule.
  5. Complete the fields:
    • Name pattern is a package name pattern you want to protect. The pattern can include a wildcard (*).
    • Package type is the type of package to protect.
    • Minimum access level for push is the minimum role required to push a package matching the name pattern.
    • Minimum access level for delete is the minimum role required to delete a package matching the name pattern.
  6. Select Protect.

The package protection rule is created, and appears in the settings.

Protecting multiple packages

You can use a wildcard to protect multiple packages with the same package protection rule. For example, you can protect all the temporary packages built during a CI/CD pipeline.

The following table contains examples of package protection rules that match multiple packages:

Package name pattern with wildcardMatching packages
@group/package-*@group/package-prod, @group/package-prod-sha123456789
@group/*package@group/package, @group/prod-package, @group/prod-sha123456789-package
@group/*package*@group/package, @group/prod-sha123456789-package-v1

It's possible to apply several protection rules to the same package. If at least one protection rule applies to the package, the package is protected.

Delete a package protection rule and unprotect a package

{{< history >}}

{{< /history >}}

Prerequisites:

  • You must have the Maintainer or Owner role.

To unprotect a package:

  1. In the top bar, select Search or go to and find your project.
  2. Select Settings > Packages and registries.
  3. Expand Package registry.
  4. Under Protected packages, next to the protection rule you want to delete, select Delete ({{< icon name="remove" >}}).
  5. On the confirmation dialog, select Delete.

The package protection rule is deleted, and does not appear in the settings.