I'm testing SPM's package registry related functions with this version of Forgejo: https://codeberg.org/forgejo/forgejo/pulls/12200
When I wanted to swift package-registry set http://localhost:3000/api/packages/Cyberbeni/swift, it failed because http is not supported but adding it as https and then modifying to http worked. I think http should be allowed for localhost and private IP ranges.
I think when you want to use Package x.y from registry z, you should be able to do all that from Package.swift instead of adding package x.y to Package.swift and adding registry z to registries.json. I think registries.json should only be used when you want to use mirrors of some dependencies. (I haven't tried yet what happens when you have a transitive dependency in a package registry. Do you have to manually add that registry to your own registries.json? Or is it picked up from registries.json in the other package's repository?)
Package registry dependency looks like this in Package.resolved:
{
"identity" : "Cyberbeni.LruCache",
"kind" : "registry",
"location" : "",
"state" : {
"version" : "1.1.3"
}
},
This should have the URL of the package registry and the checksum of the package and information whether this version is signed or not and whether we want to ensure that the signature is from one of the trusted signers.
There is this optional availability endpoint which is not included in the documentation.