Package registry

With the GitLab package registry, you can use GitLab as a private or public registry for a varietyofsupported package managers.You can publish and share packages, which can be consumed as a dependency in downstream projects.

Package workflows

Learn how to use the GitLab package registry to build your own custom package workflow:

• Use a project as a package registryto publish all of your packages to one project.

• Publish multiple different packages from onemonorepo project.

View packages

You can view packages for your project or group:

1. Go to the project or group.
2. Go toDeploy >Package registry.

You can search, sort, and filter packages on this page. You can share your search results by copyingand pasting the URL from your browser.

You can also find helpful code snippets for configuring your package manager or installing a given package.

When you view packages in a group:

• All packages published to the group and its projects are displayed.
• Only the projects you can access are displayed.
• If a project is private, or you are not a member of the project, the packages from that project are not displayed.

To learn how to create and upload a package, follow the instructions for yourpackage type.

Use GitLab CI/CD

You can useGitLab CI/CD to build or import packages intoa package registry.

To build packages

You can authenticate with GitLab by using theCI_JOB_TOKEN.

To get started, you can use the availableCI/CD templates.

For more information about using the GitLab package registry with CI/CD, see:

• Generic
• Maven
• npm
• NuGet
• PyPI
• Terraform

If you use CI/CD to build a package, extended activity information is displayedwhen you view the package details:

You can view which pipeline published the package, and the commit and user who triggered it. However, the history is limited to five updates of a given package.

To import packages

If you already have packages built in a different registry, you can import theminto your GitLab package registry with thepackage importer.

For a list of supported packages, seeImporting packages from other repositories.

Reduce storage usage

For information on reducing your storage use for the package registry, seeReduce package registry storage use.

Turn off the package registry

The package registry is automatically turned on.

On a GitLab Self-Managed instance, your administrator can removethePackages and registries menu item from the GitLab sidebar.For more information,seeGitLab package registry administration.

You can also remove the package registry for your project specifically:

1. In your project, go toSettings >General.
2. Expand theVisibility, project features, permissions section and disable thePackages feature.
3. SelectSave changes.

TheDeploy >Package registry entry is removed from the sidebar.

Package registry visibility permissions

Project permissionsdetermine which members and users can download, push, or delete packages.

The visibility of the package registry is independent of the repository and can be controlled fromyour project’s settings. For example, if you have a public project and set the repository visibilitytoOnly Project Members, the package registry is then public. Turning off thePackage registry toggle turns off all package registry operations.

Allow anyone to pull from package registry

To allow anyone to pull from the package registry, regardless of project visibility:

1. On the left sidebar, selectSearch or go to and find your private or internal project.
2. SelectSettings >General.
3. ExpandVisibility, project features, permissions.
4. Turn on theAllow anyone to pull from package registry toggle.
5. SelectSave changes.

Anyone on the internet can access the package registry for the project.

Disable allowing anyone to pull

Prerequisites:

• You must be an administrator.

To hide theAllow anyone to pull from package registry toggle globally:

• Update the application settingpackage_registry_allow_anyone_to_pull_option tofalse.

Anonymous downloads are turned off, even for projects that turned on theAllow anyone to pull from Package Registry toggle.

Several known issues exist when you allow anyone to pull from the package registry:

• Endpoints for projects are supported.
• NuGet registry endpoints for groups are supported. However, because of how NuGet clients send the authentication credentials, anonymous downloads are not allowed. Only GitLab users can pull from the package registry, even if this setting is turned on.
• Maven registry endpoints for groups are supported.
• Terraform module registry endpoints for namespaces are supported.
• Other group and instance endpoints are not fully supported. Support for group endpoints is proposed inepic 14234.
• It does not work with theComposer, because Composer only has a group endpoint.
• It works with Conan, but usingconan search does not work.

Audit events

Create audit events when a package is published or deleted. Namespace Owners can turn on theaudit_events_enabled setting through theGraphQL API.

You can view audit events:

• On theGroup audit events page if the package’s project is in a group.
• On theProject audit events page if the package’s project is in a user namespace.

Accepting contributions

The following table lists package formats that are not supported.Consider contributing to GitLab to add support for these formats.