Open-Source Wikis

/

GitLab

/

Features

/

Packages and registry

gitlab-org/gitlab

Packages and registry

GitLab ships several package registries plus a container registry, dependency proxy, and Helm chart registry.

Registries

Registry Format Source
Generic arbitrary files lib/api/generic_packages.rb
npm npm tarballs lib/api/npm_*.rb
Maven Maven artifacts lib/api/maven_packages.rb
NuGet NuGet packages lib/api/nuget_*_packages.rb
Composer PHP Composer lib/api/composer_packages.rb
Conan C/C++ lib/api/conan*.rb
PyPI Python lib/api/pypi_packages.rb
Debian apt lib/api/debian_*_packages.rb
RPM yum/dnf lib/api/rpm_project_packages.rb
Helm Helm charts lib/api/helm_packages.rb
Terraform Terraform modules lib/api/terraform/modules/
ML model registry MLflow-compatible lib/api/ml/mlflow/
Cargo Rust crates lib/api/cargo_project_packages.rb
Container OCI images lib/api/container_registry_event.rb + external service
Dependency proxy upstream cache lib/api/dependency_proxy.rb

Source

app/models/packages/
├── package.rb, package_file.rb
├── conan/, debian/, helm/, maven/, npm/, nuget/, pypi/, ...
└── ...
app/services/packages/                # ~19 service namespaces
app/workers/packages/                  # cleanup, mirroring
lib/api/<format>_packages.rb           # one Grape file per format
ee/app/services/packages/              # virtual registries, EE features

Frontend: app/assets/javascripts/packages_and_registries/.

Generic flow

  1. Client publishes a package via the format's protocol.
  2. Workhorse intercepts the upload; Rails issues a presigned URL; Workhorse PUTs to object storage.
  3. Rails finalizes the package metadata and creates Packages::Package, Packages::PackageFile.
  4. Indexes (e.g., npm dist-tags, Maven metadata.xml) are recomputed.
  5. Pulls go through Workhorse; Rails verifies auth and issues signed URLs.

Container registry

The container registry is a separate service (gitlab-org/container-registry) but the monolith handles auth, manifest/blob proxying, and cleanup policies:

  • Auth tokens minted in lib/api/container_registry_event.rb and JWT issuer.
  • Cleanup policies under app/services/container_expiration_policies/.
  • Tag rules under ee/app/services/container_registry/protection/.

Dependency proxy

A pull-through cache for upstream registries. The implementation is split:

  • Workhorse: workhorse/internal/dependencyproxy/ — caches blobs.
  • Rails: app/services/dependency_proxy/, lib/api/dependency_proxy.rb.

Virtual registries (EE)

ee/app/services/virtual_registries/ and friends introduce upstream-aware registries (Maven, npm) that proxy and cache from external upstreams.

API

Each format has its own REST API. GraphQL exposes a unified Packages::PackageType.

Cleanup

  • Packages::CleanupPolicyWorker — sweep stale packages by policy.
  • ContainerRegistry::*PolicyWorker — sweep stale container tags.
  • Expiry rules per format live in the corresponding settings.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Packages and registry – GitLab wiki | Factory