I’m trying to set up GitLab’s Package Registry as a private Composer repository. However once the URL of specific package artifact has been obtained with
composer update (and stored in
composer.lock file), it can be used to download the package without any authentication. It can be installed as well - that’s how I first found out - CI didn’t fail even not authentication was provided.
Both project and group are set as internal.
Does anyone know how to fix that? Thanks.