Hi, We have been dipping our toe into Nexus 3. We have two Pypi proxy repos so that we can place new packages from Pypi into the “staging” repo, and then when they have been assessed for vulnerabilities & license issues (from the built in tooling). Then the plan would be to promote that package to the “production” repo which is the one that everyone uses.
Now, im trying to find the best way to make this work. As we keep the “production” repo blocked from accessing Pypi. We unblock it when we need to add a new package (after staging) and then re-block it again.
Now the issue here is that during that window, a normal user could inadvertently pull in an un-planned package, bypassing the staging process.
Now, im wondering if there is anyway to handle this better. Originally I though we could add a password to the production repo, then un-block it, pull in the new package, re-block and then remove the user/pass. However it appears this is not an option.
Is there a way to use the API to promote directly from staging to production? Would it still require the outbound access or is it an internal promotion?
How else do you guys do it?
I work in an industry whereby just allowing packages through from Pypi is not really an option.
Any thoughts/advice would be greatly appreciated