Option to disable manual publishing

app/lib/frontend/handlers/experimental.dart

@@ -14,6 +14,7 @@ const _publicFlags = <PublicFlag>{
 
 final _allFlags = <String>{
   'dark-as-default',
+  'manual-publishing',
   ..._publicFlags.map((x) => x.name),
 };
 
@@ -88,6 +89,8 @@ class ExperimentalFlags {
 
   bool get isDarkModeDefault => isEnabled('dark-as-default');
 
+  bool get isManualPublishingConfigAvailable => isEnabled('manual-publishing');
+
   String encodedAsCookie() => _enabled.join(':');
 
   @override

app/lib/frontend/templates/views/pkg/admin_page.dart

@@ -3,6 +3,7 @@
 // BSD-style license that can be found in the LICENSE file.
 
 import 'package:_pub_shared/data/package_api.dart';
+import 'package:pub_dev/frontend/request_context.dart';
 
 import '../../../../account/models.dart';
 import '../../../../package/models.dart';
@@ -42,6 +43,8 @@ d.Node packageAdminPageNode({
           ),
         ],
       ),
+      if (requestContext.experimentalFlags.isManualPublishingConfigAvailable)
+        TocNode('Manual publishing', href: '#manual-publishing'),
       TocNode('Version retraction', href: '#version-retraction'),
     ]),
     d.a(name: 'ownership'),
@@ -227,6 +230,8 @@ d.Node packageAdminPageNode({
       ),
     ],
     _automatedPublishing(package),
+    if (requestContext.experimentalFlags.isManualPublishingConfigAvailable)
+      _manualPublishing(package),
     d.a(name: 'version-retraction'),
     d.h2(text: 'Version retraction'),
     d.div(
@@ -453,6 +458,27 @@ d.Node _automatedPublishing(Package package) {
   ]);
 }
 
+d.Node _manualPublishing(Package package) {
+  final manual = package.automatedPublishing?.manualConfig;
+  return d.fragment([
+    d.a(name: 'manual-publishing'),
+    d.h2(text: 'Manual publishing'),
+    d.markdown(
+      'The manual publishing of new versions using the `pub` tool is enabled by default in all packages. '
+      'Disabling it may protect the package from accidental publishing events when the package is otherwise using '
+      'automated publishing, or in other cases, is discontinued.',
+    ),
+    d.div(
+      classes: ['-pub-form-checkbox-row'],
+      child: material.checkbox(
+        id: '-admin-is-manual-publishing-disabled',
+        label: 'Disable manual publishing',
+        checked: manual?.isDisabled ?? false,
+      ),
+    ),
+  ]);
+}
+
 d.Node _exampleGitHubWorkflow(GitHubPublishingConfig github) {
   final expandedTagPattern = (github.tagPattern ?? '{{version}}').replaceAll(
     '{{version}}',

app/lib/package/backend.dart

@@ -635,6 +635,8 @@ class PackageBackend {
       final p = await tx.lookupValue<Package>(pkg.key);
       final githubConfig = body.github;
       final gcpConfig = body.gcp;
+      final manualConfig = body.manual;
+
       if (githubConfig != null) {
         final isEnabled = githubConfig.isEnabled;
 
@@ -648,7 +650,9 @@ class PackageBackend {
         final repository = githubConfig.repository?.trim() ?? '';
         githubConfig.repository = repository.isEmpty ? null : repository;
         final tagPattern = githubConfig.tagPattern?.trim() ?? '';
-        verifyTagPattern(tagPattern: tagPattern);
+        if (isEnabled) {
+          verifyTagPattern(tagPattern: tagPattern);
+        }
         githubConfig.tagPattern = tagPattern.isEmpty ? null : tagPattern;
         final environment = githubConfig.environment?.trim() ?? '';
         githubConfig.environment = environment.isEmpty ? null : environment;
@@ -726,9 +730,14 @@ class PackageBackend {
       }
 
       // finalize changes
-      p.automatedPublishing ??= AutomatedPublishing();
-      p.automatedPublishing!.githubConfig = githubConfig;
-      p.automatedPublishing!.gcpConfig = gcpConfig;
+      final automatedPublishing = p.automatedPublishing ??=
+          AutomatedPublishing();
+      automatedPublishing.githubConfig =
+          githubConfig ?? automatedPublishing.githubConfig;
+      automatedPublishing.gcpConfig =
+          gcpConfig ?? automatedPublishing.gcpConfig;
+      automatedPublishing.manualConfig =
+          manualConfig ?? automatedPublishing.manualConfig;
 
       p.updated = clock.now().toUtc();
       tx.insert(p);
@@ -742,6 +751,7 @@ class PackageBackend {
       return api.AutomatedPublishingConfig(
         github: p.automatedPublishing!.githubConfig,
         gcp: p.automatedPublishing!.gcpConfig,
+        manual: p.automatedPublishing!.manualConfig,
       );
     });
   }
@@ -1606,6 +1616,11 @@ class PackageBackend {
     }
     if (agent is AuthenticatedUser &&
         await packageBackend.isPackageAdmin(package, agent.user.userId)) {
+      final isDisabled =
+          package.automatedPublishing?.manualConfig?.isDisabled ?? false;
+      if (isDisabled) {
+        throw AuthorizationException.manualPublishingDisabled();
+      }
       return;
     }
     if (agent is AuthenticatedGitHubAction) {

app/lib/package/models.dart

@@ -460,12 +460,14 @@ class AutomatedPublishing {
   GitHubPublishingLock? githubLock;
   GcpPublishingConfig? gcpConfig;
   GcpPublishingLock? gcpLock;
+  ManualPublishingConfig? manualConfig;
 
   AutomatedPublishing({
     this.githubConfig,
     this.githubLock,
     this.gcpConfig,
     this.gcpLock,
+    this.manualConfig,
   });
 
   factory AutomatedPublishing.fromJson(Map<String, dynamic> json) =>

app/lib/shared/exceptions.dart

@@ -572,6 +572,12 @@ class AuthorizationException extends ResponseException {
     'The calling service account is not allowed to publish, because: $reason.\nSee https://dart.dev/go/publishing-with-service-account',
   );
 
+  /// Signaling that the manual publishing was disabled and cannot be authorized.
+  factory AuthorizationException.manualPublishingDisabled() =>
+      AuthorizationException._(
+        'The manual publishing with the `pub` tool is disabled on the package admin page.',
+      );
+
   @override
   String toString() => '$code: $message'; // used by package:pub_server
 }

app/test/package/automated_publishing_test.dart

@@ -309,5 +309,79 @@ void main() {
         );
       },
     );
+
+    testWithProfile(
+      'partial settings do not override the other',
+      fn: () async {
+        final client = await createFakeAuthPubApiClient(
+          email: adminAtPubDevEmail,
+        );
+
+        Future<void> update({
+          GitHubPublishingConfig? github,
+          GcpPublishingConfig? gcp,
+          ManualPublishingConfig? manual,
+          required Map<String, dynamic> expected,
+        }) async {
+          final rs = await client.setAutomatedPublishing(
+            'oxygen',
+            AutomatedPublishingConfig(github: github, gcp: gcp, manual: manual),
+          );
+          expect(rs.toJson(), expected);
+        }
+
+        await update(
+          manual: ManualPublishingConfig(isDisabled: false),
+          expected: {
+            'manual': {'isDisabled': false},
+          },
+        );
+
+        await update(
+          github: GitHubPublishingConfig(isEnabled: false),
+          expected: {
+            'github': {
+              'isEnabled': false,
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isDisabled': false},
+          },
+        );
+
+        await update(
+          manual: ManualPublishingConfig(isDisabled: true),
+          expected: {
+            'github': {
+              'isEnabled': false,
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isDisabled': true},
+          },
+        );
+
+        await update(
+          github: GitHubPublishingConfig(
+            isEnabled: true,
+            tagPattern: '{{version}}',
+            repository: 'user/repo',
+          ),
+          expected: {
+            'github': {
+              'isEnabled': true,
+              'repository': 'user/repo',
+              'tagPattern': '{{version}}',
+              'requireEnvironment': false,
+              'isPushEventEnabled': true,
+              'isWorkflowDispatchEventEnabled': false,
+            },
+            'manual': {'isDisabled': true},
+          },
+        );
+      },
+    );
   });
 }

app/test/package/upload_test.dart

@@ -281,6 +281,38 @@ void main() {
       );
     });
 
+    group('Manual publishing overrides', () {
+      testWithProfile(
+        'manual publishing disabled',
+        fn: () async {
+          await withFakeAuthRetryPubApiClient(email: adminAtPubDevEmail, (
+            client,
+          ) async {
+            await client.setAutomatedPublishing(
+              'oxygen',
+              AutomatedPublishingConfig(
+                manual: ManualPublishingConfig(isDisabled: true),
+              ),
+            );
+          });
+
+          final bytes = await packageArchiveBytes(
+            pubspecContent: generatePubspecYaml('oxygen', '2.2.0'),
+          );
+          final rs = createPubApiClient(
+            authToken: adminClientToken,
+          ).uploadPackageBytes(bytes);
+          await expectApiException(
+            rs,
+            status: 403,
+            code: 'InsufficientPermissions',
+            message:
+                'The manual publishing with the `pub` tool is disabled on the package admin page.',
+          );
+        },
+      );
+    });
+
     group('Uploading with service account', () {
       testWithProfile(
         'service account cannot upload new package',

pkg/_pub_shared/lib/data/package_api.dart

@@ -46,8 +46,9 @@ class PkgOptions {
 class AutomatedPublishingConfig {
   final GitHubPublishingConfig? github;
   final GcpPublishingConfig? gcp;
+  final ManualPublishingConfig? manual;
 
-  AutomatedPublishingConfig({this.github, this.gcp});
+  AutomatedPublishingConfig({this.github, this.gcp, this.manual});
 
   factory AutomatedPublishingConfig.fromJson(Map<String, dynamic> json) =>
       _$AutomatedPublishingConfigFromJson(json);
@@ -120,6 +121,18 @@ class GcpPublishingConfig {
   Map<String, dynamic> toJson() => _$GcpPublishingConfigToJson(this);
 }
 
+@JsonSerializable(includeIfNull: false, explicitToJson: true)
+class ManualPublishingConfig {
+  bool isDisabled;
+
+  ManualPublishingConfig({this.isDisabled = false});
+
+  factory ManualPublishingConfig.fromJson(Map<String, dynamic> json) =>
+      _$ManualPublishingConfigFromJson(json);
+
+  Map<String, dynamic> toJson() => _$ManualPublishingConfigToJson(this);
+}
+
 @JsonSerializable()
 class VersionOptions {
   final bool? isRetracted;

pkg/pub_integration/lib/src/test_browser.dart

@@ -372,9 +372,9 @@ extension PageExt on Page {
   }
 
   /// Returns the [property] value of the first element by [selector].
-  Future<String> propertyValue(String selector, String property) async {
+  Future<T> propertyValue<T>(String selector, String property) async {
     final h = await $(selector);
-    return await h.propertyValue(property);
+    return await h.propertyValue<T>(property);
   }
 }
 

pkg/pub_integration/test/pkg_admin_page_test.dart

@@ -79,6 +79,22 @@ void main() {
         expect(value, githubRepository);
       });
 
+      // disable manual publishing
+      await user.withBrowserPage((page) async {
+        await page.gotoOrigin('/experimental?manual-publishing=1');
+        await page.gotoOrigin('/packages/test_pkg/admin');
+
+        await page.waitAndClick('#-admin-is-manual-publishing-disabled');
+        await page.waitAndClickOnDialogOk(waitForOneResponse: true);
+        await page.reload();
+
+        final value = await page.propertyValue(
+          '#-admin-is-manual-publishing-disabled',
+          'checked',
+        );
+        expect(value, true);
+      });
+
       // visit activity log page
       await user.withBrowserPage((page) async {
         await page.gotoOrigin('/packages/test_pkg/activity-log');