Hi,
we are trying to incorporate the package promotion feature into our workflow and would like to use the API endpoint for that. Our scenario imposes the following requirements:
- Both the source and target feed should be restricted to specific API-Keys only (i.e., we cannot allow anonymous access).
- Furthermore, both feeds are in a feed group which also contains various other feeds. We use this feed group for other permissions, and thus cannot move the two feeds to another group.
- Since the package promotion should be triggered in a CI environment, we cannot use impersonated api-keys.
It seems that it is only possible to specify a single API-key for the package promotion endpoint. Thus, we cannot use a feed-specific API-key for the promotion. We therefore need to create a key for the whole feed group with both read and promotion permissions. Unfortunately, this key now has too much permission than actually needed, because it can also access the other feeds in the group.
Is there anything I'm missing or something that we could do differently? We really would like to adhere to the principle of least privilege for those feeds, i.e. not giving the API-Key far more permissions than it needs. If that's not possible currently, are there any plans to a) either allow a feed to be in multiple groups, b) give the promotion endpoint the possibility to have two different API-keys, or c) define the permissions for an api-key more fine-grained?