You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users want to be able to create a package without special privileges - for example, in a CI/CD workflow - but do not want to allow that unprivileged identity to perform the final publish of the package without further intervention.
Instead, there will be a publication gate requiring some signoff from a human person before the package publication is finalized.
Intended Outcome
A user can set up a CI/CD workflow that creates a package, but the actual mechanism of its publication is still left up to a person.
How will it work?
This is a high level overview to show that there's work that we want to invest in at some point in the future. This does not constitute a final design or specification. Terms like "authorization mechanism", "upload" and "download" are intentionally vague so as to not suggest any type of implementation.
A user will be able to create an authorization mechanism that does not have the ability to publish packages, but does have the ability to stage packages.
This authorization mechanism can be used to upload a package. At this point, the package is not available or visible publicly on the public registry.
A user will need to perform some manual intervention in order to make this package available publicly.
Again, this is a high-level overview. We'll start fleshing this out more in the future.
Summary
Users want to be able to create a package without special privileges - for example, in a CI/CD workflow - but do not want to allow that unprivileged identity to perform the final publish of the package without further intervention.
Instead, there will be a publication gate requiring some signoff from a human person before the package publication is finalized.
Intended Outcome
A user can set up a CI/CD workflow that creates a package, but the actual mechanism of its publication is still left up to a person.
How will it work?
This is a high level overview to show that there's work that we want to invest in at some point in the future. This does not constitute a final design or specification. Terms like "authorization mechanism", "upload" and "download" are intentionally vague so as to not suggest any type of implementation.
A user will be able to create an authorization mechanism that does not have the ability to publish packages, but does have the ability to stage packages.
This authorization mechanism can be used to upload a package. At this point, the package is not available or visible publicly on the public registry.
A user will need to perform some manual intervention in order to make this package available publicly.
Again, this is a high-level overview. We'll start fleshing this out more in the future.