Add latest changes from gitlab-org/gitlab@master

5 files changed, 275 insertions, 221 deletions

diff --git a/.gitlab/ci/dast.gitlab-ci.yml b/.gitlab/ci/review-apps/dast.gitlab-ci.yml
index 512c850b7da..512c850b7da 100644
--- a/.gitlab/ci/dast.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/dast.gitlab-ci.yml
diff --git a/.gitlab/ci/review-apps/main.gitlab-ci.yml b/.gitlab/ci/review-apps/main.gitlab-ci.yml
new file mode 100644
index 00000000000..6fe9e39cb82
--- /dev/null
+++ b/.gitlab/ci/review-apps/main.gitlab-ci.yml
@@ -0,0 +1,106 @@
+stages:
+  - prepare
+  - deploy
+  - qa
+  - post-qa
+  - dast
+
+include:
+  - local: .gitlab/ci/global.gitlab-ci.yml
+  - local: .gitlab/ci/rules.gitlab-ci.yml
+  - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml
+  - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml
+
+.base-before_script: &base-before_script
+  - source ./scripts/utils.sh
+  - source ./scripts/review_apps/review-apps.sh
+  - install_api_client_dependencies_with_apk
+
+review-build-cng:
+  extends:
+    - .default-retry
+    - .review:rules:review-build-cng
+  image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine3.13
+  stage: prepare
+  variables:
+    CNG_PROJECT_ACCESS_TOKEN: "${CNG_MIRROR_PROJECT_ACCESS_TOKEN}"  # "Multi-pipeline (from 'gitlab-org/gitlab' 'review-build-cng' job)" at https://gitlab.com/gitlab-org/build/CNG-mirror/-/settings/access_tokens
+    CNG_PROJECT_PATH: "gitlab-org/build/CNG-mirror"
+  before_script:
+    - source ./scripts/utils.sh
+    - install_gitlab_gem
+  script:
+    - ./scripts/trigger-build cng
+
+.review-workflow-base:
+  extends:
+    - .default-retry
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-helm3.5-kubectl1.17
+  variables:
+    HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
+    DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
+    GITLAB_HELM_CHART_REF: "v5.2.1"
+  environment:
+    name: review/${CI_COMMIT_REF_SLUG}${FREQUENCY}
+    url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
+    on_stop: review-stop
+    auto_stop_in: 48 hours
+
+review-deploy:
+  extends:
+    - .review-workflow-base
+    - .review:rules:review-deploy
+  stage: deploy
+  needs: ["review-build-cng"]
+  resource_group: "review/${CI_COMMIT_REF_NAME}"
+  before_script:
+    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
+    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
+    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
+    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
+    - *base-before_script
+  script:
+    - check_kube_domain
+    - download_chart
+    - date
+    - deploy || (display_deployment_debug && exit 1)
+    - verify_deploy || exit 1
+    - disable_sign_ups || (delete_release && exit 1)
+  after_script:
+    # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
+    # Set DAST_RUN to true when jobs are manually scheduled.
+    - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi
+  artifacts:
+    paths:
+      - environment_url.txt
+      - curl_output.txt
+    expire_in: 7 days
+    when: always
+
+.review-stop-base:
+  extends: .review-workflow-base
+  environment:
+    action: stop
+  dependencies: []
+  variables:
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
+  before_script:
+    - *base-before_script
+
+review-delete-deployment:
+  extends:
+    - .review-stop-base
+    - .review:rules:review-delete-deployment
+  stage: prepare
+  script:
+    - delete_release
+
+review-stop:
+  extends:
+    - .review-stop-base
+    - .review:rules:review-stop
+  stage: post-qa
+  script:
+    - delete_k8s_release_namespace
diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
new file mode 100644
index 00000000000..04eddb80ad5
--- /dev/null
+++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
@@ -0,0 +1,126 @@
+.review-qa-base:
+  extends:
+    - .use-docker-in-docker
+  image:
+    name: ${QA_IMAGE}
+    entrypoint: [""]
+  stage: qa
+  needs: ["review-deploy"]
+  variables:
+    QA_DEBUG: "true"
+    QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
+    QA_GENERATE_ALLURE_REPORT: "true"
+    GITLAB_USERNAME: "root"
+    GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITLAB_ADMIN_USERNAME: "root"
+    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
+    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
+    SIGNUP_DISABLED: "true"
+  before_script:
+    # Use $CI_MERGE_REQUEST_SOURCE_BRANCH_SHA so that GitLab image built in omnibus-gitlab-mirror and QA image are in sync.
+    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
+        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
+      fi
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - cd qa
+  artifacts:
+    paths:
+      - qa/tmp
+    expire_in: 7 days
+    when: always
+
+.allure-report-base:
+  image:
+    name: ${GITLAB_DEPENDENCY_PROXY}andrcuns/allure-report-publisher:0.3.4
+    entrypoint: [""]
+  stage: post-qa
+  variables:
+    GIT_STRATEGY: none
+    STORAGE_CREDENTIALS: $QA_ALLURE_REPORT_GCS_CREDENTIALS
+    GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
+  allow_failure: true
+  script:
+    - |
+      allure-report-publisher upload gcs \
+        --results-glob="qa/tmp/allure-results/*" \
+        --bucket="gitlab-qa-allure-reports" \
+        --prefix="$ALLURE_REPORT_PATH_PREFIX/$CI_COMMIT_REF_SLUG" \
+        --update-pr="comment" \
+        --copy-latest \
+        --ignore-missing-results \
+        --color
+
+review-qa-smoke:
+  extends:
+    - .review-qa-base
+    - .review:rules:review-qa-smoke
+  retry: 1  # This is confusing but this means "2 runs at max".
+  variables:
+    QA_RUN_TYPE: review-qa-smoke
+  script:
+    - bin/test Test::Instance::Smoke "${CI_ENVIRONMENT_URL}"
+
+review-qa-all:
+  extends:
+    - .review-qa-base
+    - .review:rules:review-qa-all
+  variables:
+    QA_RUN_TYPE: review-qa-all
+  parallel: 5
+  script:
+    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
+    - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
+    - |
+      bin/test Test::Instance::All "${CI_ENVIRONMENT_URL}" \
+        -- \
+        --color --format documentation \
+        --format RspecJunitFormatter --out tmp/rspec.xml
+  artifacts:
+    reports:
+      junit: qa/tmp/rspec.xml
+
+review-performance:
+  extends:
+    - .default-retry
+    - .review:rules:review-performance
+  image:
+    name: sitespeedio/sitespeed.io
+    entrypoint: [""]
+  stage: qa
+  needs: ["review-deploy"]
+  before_script:
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - mkdir -p gitlab-exporter
+    - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
+    - mkdir -p sitespeed-results
+  script:
+    - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
+  after_script:
+    - mv sitespeed-results/data/performance.json performance.json
+  artifacts:
+    paths:
+      - sitespeed-results/
+    reports:
+      performance: performance.json
+    expire_in: 31d
+
+allure-report-qa-smoke:
+  extends:
+    - .allure-report-base
+    - .review:rules:review-qa-smoke-report
+  needs: ["review-qa-smoke"]
+  variables:
+    ALLURE_REPORT_PATH_PREFIX: gitlab-review-smoke
+    ALLURE_JOB_NAME: review-qa-smoke
+
+allure-report-qa-all:
+  extends:
+    - .allure-report-base
+    - .review:rules:review-qa-all-report
+  needs: ["review-qa-all"]
+  variables:
+    ALLURE_REPORT_PATH_PREFIX: gitlab-review-all
+    ALLURE_JOB_NAME: review-qa-all
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 2fa8c2519f7..c89fcff6451 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -16,229 +16,19 @@ review-cleanup:
     - ruby -rrubygems scripts/review_apps/automated_cleanup.rb
     - gcp_cleanup
 
-.base-before_script: &base-before_script
-  - source ./scripts/utils.sh
-  - source ./scripts/review_apps/review-apps.sh
-  - install_api_client_dependencies_with_apk
-
-review-build-cng:
+start-review-app-pipeline:
   extends:
-    - .default-retry
-    - .review:rules:review-build-cng
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine3.13
-  stage: review-prepare
+    - .review:rules:review-app-pipeline
+  stage: review
   needs:
-    - job: compile-production-assets
+    - job: build-assets-image
       artifacts: false
-  variables:
-    CNG_PROJECT_ACCESS_TOKEN: "${CNG_MIRROR_PROJECT_ACCESS_TOKEN}"  # "Multi-pipeline (from 'gitlab-org/gitlab' 'review-build-cng' job)" at https://gitlab.com/gitlab-org/build/CNG-mirror/-/settings/access_tokens
-    CNG_PROJECT_PATH: "gitlab-org/build/CNG-mirror"
-  before_script:
-    - source ./scripts/utils.sh
-    - install_gitlab_gem
-  script:
-    - ./scripts/trigger-build cng
-
-.review-workflow-base:
-  extends:
-    - .default-retry
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-helm3.5-kubectl1.17
-  variables:
-    HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
-    DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
-    GITLAB_HELM_CHART_REF: "v5.2.1"
-  environment:
-    name: review/${CI_COMMIT_REF_SLUG}${FREQUENCY}
-    url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
-    on_stop: review-stop
-    auto_stop_in: 48 hours
-
-review-deploy:
-  extends:
-    - .review-workflow-base
-    - .review:rules:review-deploy
-  stage: review
-  needs: ["review-build-cng"]
-  resource_group: "review/${CI_COMMIT_REF_NAME}"
-  before_script:
-    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
-    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
-    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
-    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
-    - *base-before_script
-  script:
-    - check_kube_domain
-    - download_chart
-    - date
-    - deploy || (display_deployment_debug && exit 1)
-    - verify_deploy || exit 1
-    - disable_sign_ups || (delete_release && exit 1)
-  after_script:
-    # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
-    # Set DAST_RUN to true when jobs are manually scheduled.
-    - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi
-  artifacts:
-    paths:
-      - environment_url.txt
-      - curl_output.txt
-    expire_in: 7 days
-    when: always
-
-.review-stop-base:
-  extends: .review-workflow-base
-  environment:
-    action: stop
-  dependencies: []
-  variables:
-    # We're cloning the repo instead of downloading the script for now
-    # because some repos are private and CI_JOB_TOKEN cannot access files.
-    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
-    GIT_DEPTH: 1
-  before_script:
-    - *base-before_script
-
-review-delete-deployment:
-  extends:
-    - .review-stop-base
-    - .review:rules:review-delete-deployment
-  stage: prepare
-  script:
-    - delete_release
-
-review-stop:
-  extends:
-    - .review-stop-base
-    - .review:rules:review-stop
-  stage: post-qa
-  script:
-    - delete_k8s_release_namespace
-
-.review-qa-base:
-  extends:
-    - .use-docker-in-docker
-  image:
-    name: ${QA_IMAGE}
-    entrypoint: [""]
-  stage: qa
-  needs: ["build-qa-image", "review-deploy"]
-  variables:
-    QA_DEBUG: "true"
-    QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
-    QA_GENERATE_ALLURE_REPORT: "true"
-    GITLAB_USERNAME: "root"
-    GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
-    GITLAB_ADMIN_USERNAME: "root"
-    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
-    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
-    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
-    SIGNUP_DISABLED: "true"
-  before_script:
-    # Use $CI_MERGE_REQUEST_SOURCE_BRANCH_SHA so that GitLab image built in omnibus-gitlab-mirror and QA image are in sync.
-    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
-        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
-      fi
-    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
-    - echo "${CI_ENVIRONMENT_URL}"
-    - cd qa
-  artifacts:
-    paths:
-      - qa/tmp
-    expire_in: 7 days
-    when: always
-
-.allure-report-base:
-  image:
-    name: ${GITLAB_DEPENDENCY_PROXY}andrcuns/allure-report-publisher:0.3.4
-    entrypoint: [""]
-  stage: post-qa
-  variables:
-    GIT_STRATEGY: none
-    STORAGE_CREDENTIALS: $QA_ALLURE_REPORT_GCS_CREDENTIALS
-    GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
-  allow_failure: true
-  script:
-    - |
-      allure-report-publisher upload gcs \
-        --results-glob="qa/tmp/allure-results/*" \
-        --bucket="gitlab-qa-allure-reports" \
-        --prefix="$ALLURE_REPORT_PATH_PREFIX/$CI_COMMIT_REF_SLUG" \
-        --update-pr="comment" \
-        --copy-latest \
-        --ignore-missing-results \
-        --color
-
-review-qa-smoke:
-  extends:
-    - .review-qa-base
-    - .review:rules:review-qa-smoke
-  retry: 1  # This is confusing but this means "2 runs at max".
-  variables:
-    QA_RUN_TYPE: review-qa-smoke
-  script:
-    - bin/test Test::Instance::Smoke "${CI_ENVIRONMENT_URL}"
-
-review-qa-all:
-  extends:
-    - .review-qa-base
-    - .review:rules:review-qa-all
-  parallel: 5
-  variables:
-    QA_RUN_TYPE: review-qa-all
-  script:
-    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
-    - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
-    - |
-      bin/test Test::Instance::All "${CI_ENVIRONMENT_URL}" \
-        -- \
-        --color --format documentation \
-        --format RspecJunitFormatter --out tmp/rspec.xml
-  artifacts:
-    reports:
-      junit: qa/tmp/rspec.xml
-
-review-performance:
-  extends:
-    - .default-retry
-    - .review:rules:review-performance
-  image:
-    name: sitespeedio/sitespeed.io
-    entrypoint: [""]
-  stage: qa
-  needs: ["review-deploy"]
-  before_script:
-    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
-    - echo "${CI_ENVIRONMENT_URL}"
-    - mkdir -p gitlab-exporter
-    - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
-    - mkdir -p sitespeed-results
-  script:
-    - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
-  after_script:
-    - mv sitespeed-results/data/performance.json performance.json
-  artifacts:
-    paths:
-      - sitespeed-results/
-    reports:
-      performance: performance.json
-    expire_in: 31d
-
-allure-report-qa-smoke:
-  extends:
-    - .allure-report-base
-    - .review:rules:review-qa-smoke-report
-  needs: ["review-qa-smoke"]
-  variables:
-    ALLURE_REPORT_PATH_PREFIX: gitlab-review-smoke
-    ALLURE_JOB_NAME: review-qa-smoke
-
-allure-report-qa-all:
-  extends:
-    - .allure-report-base
-    - .review:rules:review-qa-all-report
-  needs: ["review-qa-all"]
-  variables:
-    ALLURE_REPORT_PATH_PREFIX: gitlab-review-all
-    ALLURE_JOB_NAME: review-qa-all
+    - job: build-qa-image
+      artifacts: false
+  trigger:
+    include:
+      - local: .gitlab/ci/review-apps/main.gitlab-ci.yml
+    strategy: depend
 
 danger-review:
   extends:
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 5e04db6701c..8d27e14f86d 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -10,6 +10,9 @@
 .if-not-foss: &if-not-foss
   if: '$CI_PROJECT_NAME != "gitlab-foss" && $CI_PROJECT_NAME != "gitlab-ce" && $CI_PROJECT_NAME != "gitlabhq"'
 
+.if-jh: &if-jh
+  if: '$CI_PROJECT_PATH == "gitlab-jh/gitlab"'
+
 .if-default-refs: &if-default-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
 
@@ -116,6 +119,7 @@
   - ".gitlab/ci/frontend.gitlab-ci.yml"
   - ".gitlab/ci/build-images.gitlab-ci.yml"
   - ".gitlab/ci/review.gitlab-ci.yml"
+  - ".gitlab/ci/review-apps/**/*"
   - "scripts/review_apps/base-config.yaml"
   - "scripts/review_apps/review-apps.sh"
   - "scripts/trigger-build"
@@ -503,6 +507,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns
@@ -517,6 +523,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     - <<: *if-security-merge-request
       changes: *code-backstage-patterns
     - <<: *if-merge-request-labels-as-if-foss
@@ -530,6 +538,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     - <<: *if-security-merge-request
       changes: *code-backstage-patterns
     - <<: *if-merge-request-labels-as-if-jh
@@ -579,6 +589,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     # We already have `static-analysis as-if-foss` which already runs `lint:eslint:all` if the `pipeline:run-as-if-foss` label is set.
     - <<: *if-merge-request-labels-as-if-foss
       when: never
@@ -648,6 +660,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     - <<: *if-security-merge-request
       changes: *code-qa-patterns
     - <<: *if-merge-request-labels-as-if-foss
@@ -1378,7 +1392,7 @@
 ################
 # Review rules #
 ################
-.review:rules:review-build-cng:
+.review:rules:review-app-pipeline:
   rules:
     - <<: *if-not-ee
       when: never
@@ -1395,6 +1409,22 @@
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
 
+.review:rules:review-build-cng:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *ci-review-patterns
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *frontend-patterns
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-patterns
+      allow_failure: true
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *qa-patterns
+      allow_failure: true
+    - <<: *if-dot-com-gitlab-org-schedule
+
 .review:rules:review-deploy:
   rules:
     - <<: *if-not-ee
@@ -1597,6 +1627,8 @@
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-jh
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns