Skip to content
This repository was archived by the owner on Mar 15, 2022. It is now read-only.
This repository was archived by the owner on Mar 15, 2022. It is now read-only.

registry: "staged" publishing #9

Description

@ethomson

Summary

Users want to be able to create a package without special privileges - for example, in a CI/CD workflow - but do not want to allow that unprivileged identity to perform the final publish of the package without further intervention.

Instead, there will be a publication gate requiring some signoff from a human person before the package publication is finalized.

Intended Outcome

A user can set up a CI/CD workflow that creates a package, but the actual mechanism of its publication is still left up to a person.

How will it work?

This is a high level overview to show that there's work that we want to invest in at some point in the future. This does not constitute a final design or specification. Terms like "authorization mechanism", "upload" and "download" are intentionally vague so as to not suggest any type of implementation.

  • A user will be able to create an authorization mechanism that does not have the ability to publish packages, but does have the ability to stage packages.

  • This authorization mechanism can be used to upload a package. At this point, the package is not available or visible publicly on the public registry.

  • A user will need to perform some manual intervention in order to make this package available publicly.

Again, this is a high-level overview. We'll start fleshing this out more in the future.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions