pulp
diff --git a/‎.github/workflows/scripts/release.sh‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/scripts/release.sh‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/update_ci.yml‎
Lines changed: 38 additions & 7 deletions b/‎.github/workflows/update_ci.yml‎
Lines changed: 38 additions & 7 deletions
diff --git a/‎CHANGES.md‎
Lines changed: 39 additions & 0 deletions b/‎CHANGES.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎CHANGES/+atomic-replication-support.bugfix‎
Lines changed: 0 additions & 1 deletion b/‎CHANGES/+atomic-replication-support.bugfix‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/user/guides/_SUMMARY.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/user/guides/_SUMMARY.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/user/guides/blocklist.md‎
Lines changed: 73 additions & 0 deletions b/‎docs/user/guides/blocklist.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎pulp_python/app/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎pulp_python/app/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pulp_python/app/migrations/0022_pythonblocklistentry.py‎
Lines changed: 48 additions & 0 deletions b/‎pulp_python/app/migrations/0022_pythonblocklistentry.py‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎pulp_python/app/models.py‎
Lines changed: 69 additions & 1 deletion b/‎pulp_python/app/models.py‎
Lines changed: 69 additions & 1 deletion
@@ -24,4 +24,5 @@ towncrier build --yes --version "${NEW_VERSION}"
 bump-my-version bump release --commit --message "Release {new_version}" --tag --tag-name "{new_version}" --tag-message "Release {new_version}" --allow-dirty
 bump-my-version bump patch --commit
 
-git push origin "${BRANCH}" "${NEW_VERSION}"
+# Git push is not atomic by default!
+git push --atomic origin "${BRANCH}" "${NEW_VERSION}"
@@ -165,6 +165,37 @@ jobs:
         env:
           GH_TOKEN: "${{ secrets.RELEASE_TOKEN }}"
         continue-on-error: true
+      - uses: "actions/checkout@v6"
+        with:
+          fetch-depth: 0
+          path: "pulp_python"
+          ref: "3.19"
+
+      - name: "Run update"
+        working-directory: "pulp_python"
+        run: |
+          ../plugin_template/scripts/update_ci.sh --release
+
+      - name: "Create Pull Request for CI files"
+        uses: "peter-evans/create-pull-request@v8"
+        id: "create_pr_3_19"
+        with:
+          token: "${{ secrets.RELEASE_TOKEN }}"
+          path: "pulp_python"
+          committer: "pulpbot <pulp-infra@redhat.com>"
+          author: "pulpbot <pulp-infra@redhat.com>"
+          title: "Update CI files for branch 3.19"
+          branch: "update-ci/3.19"
+          base: "3.19"
+          delete-branch: true
+      - name: "Mark PR automerge"
+        working-directory: "pulp_python"
+        run: |
+          gh pr merge --rebase --auto "${{ steps.create_pr_3_19.outputs.pull-request-number }}"
+        if: "steps.create_pr_3_19.outputs.pull-request-number"
+        env:
+          GH_TOKEN: "${{ secrets.RELEASE_TOKEN }}"
+        continue-on-error: true
       - uses: "actions/checkout@v6"
         with:
           fetch-depth: 0
@@ -200,7 +231,7 @@ jobs:
         with:
           fetch-depth: 0
           path: "pulp_python"
-          ref: "3.28"
+          ref: "3.29"
 
       - name: "Run update"
         working-directory: "pulp_python"
@@ -209,21 +240,21 @@ jobs:
 
       - name: "Create Pull Request for CI files"
         uses: "peter-evans/create-pull-request@v8"
-        id: "create_pr_3_28"
+        id: "create_pr_3_29"
         with:
           token: "${{ secrets.RELEASE_TOKEN }}"
           path: "pulp_python"
           committer: "pulpbot <pulp-infra@redhat.com>"
           author: "pulpbot <pulp-infra@redhat.com>"
-          title: "Update CI files for branch 3.28"
-          branch: "update-ci/3.28"
-          base: "3.28"
+          title: "Update CI files for branch 3.29"
+          branch: "update-ci/3.29"
+          base: "3.29"
           delete-branch: true
       - name: "Mark PR automerge"
         working-directory: "pulp_python"
         run: |
-          gh pr merge --rebase --auto "${{ steps.create_pr_3_28.outputs.pull-request-number }}"
-        if: "steps.create_pr_3_28.outputs.pull-request-number"
+          gh pr merge --rebase --auto "${{ steps.create_pr_3_29.outputs.pull-request-number }}"
+        if: "steps.create_pr_3_29.outputs.pull-request-number"
         env:
           GH_TOKEN: "${{ secrets.RELEASE_TOKEN }}"
         continue-on-error: true
 
@@ -8,6 +8,30 @@
 
 [//]: # (towncrier release notes start)
 
+## 3.29.0 (2026-04-17) {: #3.29.0 }
+
+#### Features {: #3.29.0-feature }
+
+- Added repository-specific package blocklist.
+  [#1166](https://github.com/pulp/pulp_python/issues/1166)
+
+#### Bugfixes {: #3.29.0-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+- Support "atomic" replications in pulpcore 3.107
+
+---
+
+## 3.28.2 (2026-04-14) {: #3.28.2 }
+
+#### Bugfixes {: #3.28.2-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+
+---
+
 ## 3.28.1 (2026-04-01) {: #3.28.1 }
 
 #### Bugfixes {: #3.28.1-bugfix }
@@ -33,6 +57,15 @@
 
 ---
 
+## 3.27.2 (2026-04-14) {: #3.27.2 }
+
+#### Bugfixes {: #3.27.2-bugfix }
+
+- Fixed "Worker has gone missing" errors during repair_metadata on large repositories (1000+ packages) by reducing peak memory consumption.
+  [#1188](https://github.com/pulp/pulp_python/issues/1188)
+
+---
+
 ## 3.27.1 (2026-04-01) {: #3.27.1 }
 
 #### Bugfixes {: #3.27.1-bugfix }
@@ -522,6 +555,12 @@ No significant changes.
 
 ---
 
+## 3.11.8 (2026-04-21) {: #3.11.8 }
+
+No significant changes.
+
+---
+
 ## 3.11.7 (2025-11-18) {: #3.11.7 }
 
 No significant changes.
 
@@ -4,3 +4,4 @@
 * [Host Python Content](host.md)
 * [Vulnerability Report](vulnerability_report.md)
 * [Attestation Hosting](attestation.md)
+* [Package Blocklist](blocklist.md)
@@ -0,0 +1,73 @@
+# Package Blocklist
+
+A repository can have a blocklist that prevents specific packages from being added.
+Blocklist entries can match by package `name` (all versions), package `name` with an exact `version`, or exact `filename`.
+Exactly one of `name` or `filename` must be provided.
+
+Each entry records the PRN of the user who created it in the `added_by` field.
+
+## Setup
+
+If you do not already have a repository, create one:
+
+```bash
+pulp python repository create --name foo
+```
+
+Set the API base URL and repository HREF for use in the subsequent commands:
+
+```bash
+PULP_API="http://localhost:5001"
+REPO_HREF=$(pulp python repository show --name foo | jq -r ".pulp_href")
+```
+
+## Add a blocklist entry
+
+=== "By name (all versions)"
+
+    ```bash
+    # Block all versions of shelf-reader
+    http POST "${PULP_API}${REPO_HREF}blocklist_entries/" name="shelf-reader"
+    ```
+
+=== "By name and version"
+
+    ```bash
+    # Block only shelf-reader 0.1
+    http POST "${PULP_API}${REPO_HREF}blocklist_entries/" name="shelf-reader" version="0.1"
+    ```
+
+=== "By filename"
+
+    ```bash
+    # Block only shelf-reader-0.1.tar.gz
+    http POST "${PULP_API}${REPO_HREF}blocklist_entries/" filename="shelf-reader-0.1.tar.gz"
+    ```
+
+Set the UUID of a created entry for use in the subsequent commands:
+
+```bash
+ENTRY_UUID=$(http GET "${PULP_API}${REPO_HREF}blocklist_entries/" | jq -r '.results[0].prn | split(":") | .[-1]')
+```
+
+## List blocklist entries
+
+List all entries for a repository:
+
+```bash
+http GET "${PULP_API}${REPO_HREF}blocklist_entries/"
+```
+
+Show a single entry:
+
+```bash
+http GET "${PULP_API}${REPO_HREF}blocklist_entries/${ENTRY_UUID}/"
+```
+
+## Remove a blocklist entry
+
+```bash
+http DELETE "${PULP_API}${REPO_HREF}blocklist_entries/${ENTRY_UUID}/"
+```
+
+Once an entry is removed, packages matching it can be added to the repository again.
@@ -10,7 +10,7 @@ class PulpPythonPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_python.app"
     label = "python"
-    version = "3.29.0.dev"
+    version = "3.30.0.dev"
     python_package_name = "pulp-python"
     domain_compatible = True
 
 
@@ -0,0 +1,48 @@
+# Generated by Django 5.2.10 on 2026-04-16 14:00
+
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("python", "0021_pythonrepository_upload_duplicate_filenames"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PythonBlocklistEntry",
+            fields=[
+                (
+                    "pulp_id",
+                    models.UUIDField(
+                        default=pulpcore.app.models.base.pulp_uuid,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("pulp_created", models.DateTimeField(auto_now_add=True)),
+                ("pulp_last_updated", models.DateTimeField(auto_now=True, null=True)),
+                ("name", models.TextField(default=None, null=True)),
+                ("version", models.TextField(default=None, null=True)),
+                ("filename", models.TextField(default=None, null=True)),
+                ("added_by", models.TextField(default="")),
+                (
+                    "repository",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="blocklist_entries",
+                        to="python.pythonrepository",
+                    ),
+                ),
+            ],
+            options={
+                "default_related_name": "%(app_label)s_%(model_name)s",
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]
@@ -13,6 +13,7 @@
 )
 from pulpcore.plugin.models import (
     AutoAddObjPermsMixin,
+    BaseModel,
     Content,
     Publication,
     Distribution,
@@ -399,9 +400,12 @@ def finalize_new_version(self, new_version):
 
         When allow_package_substitution is False, reject any new version that would implicitly
         replace existing content with different checksums (content substitution).
+
+        Also checks newly added content against the repository's blocklist entries.
         """
         if not self.allow_package_substitution:
             self._check_for_package_substitution(new_version)
+        self._check_blocklist(new_version)
         remove_duplicates(new_version)
         validate_repo_version(new_version)
 
@@ -413,4 +417,68 @@ def _check_for_package_substitution(self, new_version):
         qs = PythonPackageContent.objects.filter(pk__in=new_version.content)
         duplicates = collect_duplicates(qs, ("filename",))
         if duplicates:
-            raise PackageSubstitutionError(duplicates)
+            raise ValidationError(
+                "Found duplicate packages being added with the same filename but different checksums. "  # noqa: E501
+                "To allow this, set 'allow_package_substitution' to True on the repository. "
+                f"Conflicting packages: {duplicates}"
+            )
+
+    def _check_blocklist(self, new_version):
+        """
+        Check newly added content in a repository version against the blocklist.
+        """
+        added_content = PythonPackageContent.objects.filter(
+            pk__in=new_version.added().values_list("pk", flat=True)
+        ).only("filename", "name_normalized", "version")
+        if added_content.exists():
+            self.check_blocklist_for_packages(added_content)
+
+    def check_blocklist_for_packages(self, packages):
+        """
+        Raise a ValidationError if any of the given packages match a blocklist entry.
+        """
+        entries = PythonBlocklistEntry.objects.filter(repository=self)
+        if not entries.exists():
+            return
+
+        blocked = []
+        for pkg in packages:
+            for entry in entries:
+                if entry.filename and entry.filename == pkg.filename:
+                    blocked.append(pkg.filename)
+                    break
+                if entry.name == pkg.name_normalized:
+                    if not entry.version or entry.version == pkg.version:
+                        blocked.append(pkg.filename)
+                        break
+        if blocked:
+            raise ValidationError(
+                "Blocklisted packages cannot be added to this repository: "
+                "{}".format(", ".join(blocked))
+            )
+
+
+class PythonBlocklistEntry(BaseModel):
+    """
+    An entry in a PythonRepository's package blocklist.
+
+    Blocklist entries prevent packages from being added to the repository.
+    Entries can match by package `name` (all versions), package `name` + `version`,
+    or exact `filename`. Exactly one of `name` or `filename` must be provided.
+    """
+
+    name = models.TextField(null=True, default=None)
+    version = models.TextField(null=True, default=None)
+    filename = models.TextField(null=True, default=None)
+    added_by = models.TextField(default="")
+    repository = models.ForeignKey(
+        PythonRepository, on_delete=models.CASCADE, related_name="blocklist_entries"
+    )
+
+    def __str__(self):
+        if self.filename:
+            return f"<{self._meta.object_name}: {self.filename}>"
+        return f"<{self._meta.object_name}: {self.name} [{self.version or 'all'}]>"
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"