Option to disable manual publishing

app/lib/frontend/handlers/experimental.dart

@@ -14,6 +14,7 @@ const _publicFlags = <PublicFlag>{
 
 final _allFlags = <String>{
   'dark-as-default',
+  'manual-publishing',
   ..._publicFlags.map((x) => x.name),
 };
 
@@ -88,6 +89,8 @@ class ExperimentalFlags {
 
   bool get isDarkModeDefault => isEnabled('dark-as-default');
 
+  bool get isManualPublishingConfigAvailable => isEnabled('manual-publishing');
+
   String encodedAsCookie() => _enabled.join(':');
 
   @override

app/lib/frontend/templates/views/pkg/admin_page.dart

@@ -3,6 +3,7 @@
 // BSD-style license that can be found in the LICENSE file.
 
 import 'package:_pub_shared/data/package_api.dart';
+import 'package:pub_dev/frontend/request_context.dart';
 
 import '../../../../account/models.dart';
 import '../../../../package/models.dart';
@@ -32,17 +33,27 @@ d.Node packageAdminPageNode({
         ],
       ),
       TocNode(
-        'Automated publishing',
-        href: '#automated-publishing',
+        'Publishing',
+        href: '#publishing',
         children: [
-          TocNode('GitHub Actions', href: '#github-actions'),
+          if (requestContext
+              .experimentalFlags
+              .isManualPublishingConfigAvailable)
+            TocNode('Manual publishing', href: '#manual-publishing'),
           TocNode(
-            'Google Cloud Service account',
-            href: '#google-cloud-service-account',
+            'Automated publishing',
+            href: '#automated-publishing',
+            children: [
+              TocNode('GitHub Actions', href: '#github-actions'),
+              TocNode(
+                'Google Cloud Service account',
+                href: '#google-cloud-service-account',
+              ),
+            ],
           ),
+          TocNode('Version retraction', href: '#version-retraction'),
         ],
       ),
-      TocNode('Version retraction', href: '#version-retraction'),
     ]),
     d.a(name: 'ownership'),
     d.h2(text: 'Package ownership'),
@@ -226,6 +237,10 @@ d.Node packageAdminPageNode({
         ),
       ),
     ],
+    d.a(name: 'publishing'),
+    d.h2(text: 'Publishing'),
+    if (requestContext.experimentalFlags.isManualPublishingConfigAvailable)
+      _manualPublishing(package),
     _automatedPublishing(package),
     d.a(name: 'version-retraction'),
     d.h2(text: 'Version retraction'),
@@ -304,7 +319,7 @@ d.Node _automatedPublishing(Package package) {
   final isGitHubEnabled = github?.isEnabled ?? false;
   return d.fragment([
     d.a(name: 'automated-publishing'),
-    d.h2(text: 'Automated publishing'),
+    d.h3(text: 'Automated publishing'),
     d.markdown(
       'You can automate publishing from the supported automated deployment environments. '
       'Instead of creating long-lived secrets, you may use temporary OpenID-Connect tokens '
@@ -453,6 +468,28 @@ d.Node _automatedPublishing(Package package) {
   ]);
 }
 
+d.Node _manualPublishing(Package package) {
+  final manual = package.automatedPublishing?.manualConfig;
+  return d.fragment([
+    d.a(name: 'manual-publishing'),
+    d.h3(text: 'Manual publishing'),
+    d.markdown('''
+Manual publishing, using personal credentials for the `pub` client (`pub login`) .
+
+Disable to prevent accidental publication from the command line.
+
+It is recommended to disable when automated publishing is enabled.'''),
+    d.div(
+      classes: ['-pub-form-checkbox-row'],
+      child: material.checkbox(
+        id: '-pkg-admin-manual-publishing-enabled',
+        label: 'Enable manual publishing',
+        checked: manual?.isEnabled ?? true,
+      ),
+    ),
+  ]);
+}
+
 d.Node _exampleGitHubWorkflow(GitHubPublishingConfig github) {
   final expandedTagPattern = (github.tagPattern ?? '{{version}}').replaceAll(
     '{{version}}',

app/lib/package/backend.dart

@@ -635,6 +635,8 @@ class PackageBackend {
       final p = await tx.lookupValue<Package>(pkg.key);
       final githubConfig = body.github;
       final gcpConfig = body.gcp;
+      final manualConfig = body.manual;
+
       if (githubConfig != null) {
         final isEnabled = githubConfig.isEnabled;
 
@@ -648,7 +650,9 @@ class PackageBackend {
         final repository = githubConfig.repository?.trim() ?? '';
         githubConfig.repository = repository.isEmpty ? null : repository;
         final tagPattern = githubConfig.tagPattern?.trim() ?? '';
-        verifyTagPattern(tagPattern: tagPattern);
+        if (isEnabled) {
+          verifyTagPattern(tagPattern: tagPattern);
+        }
         githubConfig.tagPattern = tagPattern.isEmpty ? null : tagPattern;
         final environment = githubConfig.environment?.trim() ?? '';
         githubConfig.environment = environment.isEmpty ? null : environment;
@@ -726,9 +730,14 @@ class PackageBackend {
       }
 
       // finalize changes
-      p.automatedPublishing ??= AutomatedPublishing();
-      p.automatedPublishing!.githubConfig = githubConfig;
-      p.automatedPublishing!.gcpConfig = gcpConfig;
+      final automatedPublishing = p.automatedPublishing ??=
+          AutomatedPublishing();
+      automatedPublishing.githubConfig =
+          githubConfig ?? automatedPublishing.githubConfig;
+      automatedPublishing.gcpConfig =
+          gcpConfig ?? automatedPublishing.gcpConfig;
+      automatedPublishing.manualConfig =
+          manualConfig ?? automatedPublishing.manualConfig;
 
       p.updated = clock.now().toUtc();
       tx.insert(p);
@@ -742,6 +751,7 @@ class PackageBackend {
       return api.AutomatedPublishingConfig(
         github: p.automatedPublishing!.githubConfig,
         gcp: p.automatedPublishing!.gcpConfig,
+        manual: p.automatedPublishing!.manualConfig,
       );
     });
   }
@@ -1606,6 +1616,11 @@ class PackageBackend {
     }
     if (agent is AuthenticatedUser &&
         await packageBackend.isPackageAdmin(package, agent.user.userId)) {
+      final isEnabled =
+          package.automatedPublishing?.manualConfig?.isEnabled ?? true;
+      if (!isEnabled) {
+        throw AuthorizationException.manualPublishingDisabled(package.name!);
+      }
       return;
     }
     if (agent is AuthenticatedGitHubAction) {

app/lib/package/models.dart

@@ -460,12 +460,14 @@ class AutomatedPublishing {
   GitHubPublishingLock? githubLock;
   GcpPublishingConfig? gcpConfig;
   GcpPublishingLock? gcpLock;
+  ManualPublishingConfig? manualConfig;
 
   AutomatedPublishing({
     this.githubConfig,
     this.githubLock,
     this.gcpConfig,
     this.gcpLock,
+    this.manualConfig,
   });
 
   factory AutomatedPublishing.fromJson(Map<String, dynamic> json) =>

app/lib/shared/exceptions.dart

@@ -16,6 +16,7 @@ library;
 import 'dart:io';
 
 import 'package:api_builder/api_builder.dart' show ApiResponseException;
+import 'package:pub_dev/shared/urls.dart';
 import 'package:pub_dev/shared/utils.dart';
 
 /// Base class for all exceptions that are intercepted by HTTP handler wrappers.
@@ -572,6 +573,17 @@ class AuthorizationException extends ResponseException {
     'The calling service account is not allowed to publish, because: $reason.\nSee https://dart.dev/go/publishing-with-service-account',
   );
 
+  /// Signaling that the manual publishing was disabled and cannot be authorized.
+  factory AuthorizationException.manualPublishingDisabled(String package) {
+    return AuthorizationException._(
+      'Manual publishing has been disabled. '
+      'This usually means this package should be published via automated publishing '
+      '(see https://dart.dev/tools/pub/automated-publishing). '
+      'To re-enable manual publishing, go to the package admin page '
+      '(see ${pkgAdminUrl(package, includeHost: true)}).',
+    );
+  }
+
   @override
   String toString() => '$code: $message'; // used by package:pub_server
 }

app/test/frontend/golden/pkg_admin_page.html

@@ -262,15 +262,18 @@ <h3 class="detail-lead-title">Metadata</h3>
                         <a href="#unlisted">Unlisted</a>
                       </div>
                       <div class="pub-toc-node pub-toc-node-0">
-                        <a href="#automated-publishing">Automated publishing</a>
+                        <a href="#publishing">Publishing</a>
                       </div>
                       <div class="pub-toc-node pub-toc-node-1">
+                        <a href="#automated-publishing">Automated publishing</a>
+                      </div>
+                      <div class="pub-toc-node pub-toc-node-2">
                         <a href="#github-actions">GitHub Actions</a>
                       </div>
-                      <div class="pub-toc-node pub-toc-node-1">
+                      <div class="pub-toc-node pub-toc-node-2">
                         <a href="#google-cloud-service-account">Google Cloud Service account</a>
                       </div>
-                      <div class="pub-toc-node pub-toc-node-0">
+                      <div class="pub-toc-node pub-toc-node-1">
                         <a href="#version-retraction">Version retraction</a>
                       </div>
                     </div>
@@ -404,8 +407,10 @@ <h3>Unlisted</h3>
                       <label for="-admin-is-unlisted-checkbox">Mark "unlisted"</label>
                     </div>
                   </div>
+                  <a name="publishing"></a>
+                  <h2>Publishing</h2>
                   <a name="automated-publishing"></a>
-                  <h2>Automated publishing</h2>
+                  <h3>Automated publishing</h3>
                   <p>
                     You can automate publishing from the supported automated deployment environments. Instead of creating long-lived secrets, you may use temporary OpenID-Connect tokens signed by either GitHub Actions or Google Cloud IAM. See the
                     <a href="https://dart.dev/tools/pub/automated-publishing">pub automated publishing guide</a>

app/test/package/automated_publishing_test.dart

@@ -182,7 +182,7 @@ void main() {
             'oxygen',
             AutomatedPublishingConfig(
               github: GitHubPublishingConfig(
-                isEnabled: false,
+                isEnabled: true,
                 repository: 'abcd/efgh',
                 tagPattern: pattern,
               ),
@@ -309,5 +309,79 @@ void main() {
         );
       },
     );
+
+    testWithProfile(
+      'partial settings do not override the other',
+      fn: () async {
+        final client = await createFakeAuthPubApiClient(
+          email: adminAtPubDevEmail,
+        );
+
+        Future<void> update({
+          GitHubPublishingConfig? github,
+          GcpPublishingConfig? gcp,
+          ManualPublishingConfig? manual,
+          required Map<String, dynamic> expected,
+        }) async {
+          final rs = await client.setAutomatedPublishing(
+            'oxygen',
+            AutomatedPublishingConfig(github: github, gcp: gcp, manual: manual),
+          );
+          expect(rs.toJson(), expected);
+        }
+
+        await update(
+          manual: ManualPublishingConfig(isEnabled: true),
+          expected: {
+            'manual': {'isEnabled': true},
+          },
+        );
+
+        await update(
+          github: GitHubPublishingConfig(isEnabled: false),
+          expected: {
+            'github': {
+              'isEnabled': false,
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isEnabled': true},
+          },
+        );
+
+        await update(
+          manual: ManualPublishingConfig(isEnabled: false),
+          expected: {
+            'github': {
+              'isEnabled': false,
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isEnabled': false},
+          },
+        );
+
+        await update(
+          github: GitHubPublishingConfig(
+            isEnabled: true,
+            tagPattern: '{{version}}',
+            repository: 'user/repo',
+          ),
+          expected: {
+            'github': {
+              'isEnabled': true,
+              'repository': 'user/repo',
+              'tagPattern': '{{version}}',
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isEnabled': false},
+          },
+        );
+      },
+    );
   });
 }

app/test/package/upload_test.dart

@@ -281,6 +281,37 @@ void main() {
       );
     });
 
+    group('Manual publishing overrides', () {
+      testWithProfile(
+        'manual publishing disabled',
+        fn: () async {
+          await withFakeAuthRetryPubApiClient(email: adminAtPubDevEmail, (
+            client,
+          ) async {
+            await client.setAutomatedPublishing(
+              'oxygen',
+              AutomatedPublishingConfig(
+                manual: ManualPublishingConfig(isEnabled: false),
+              ),
+            );
+          });
+
+          final bytes = await packageArchiveBytes(
+            pubspecContent: generatePubspecYaml('oxygen', '2.2.0'),
+          );
+          final rs = createPubApiClient(
+            authToken: adminClientToken,
+          ).uploadPackageBytes(bytes);
+          await expectApiException(
+            rs,
+            status: 403,
+            code: 'InsufficientPermissions',
+            message: 'Manual publishing has been disabled.',
+          );
+        },
+      );
+    });
+
     group('Uploading with service account', () {
       testWithProfile(
         'service account cannot upload new package',