diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2024-01-18 21:08:43 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2024-01-18 21:08:43 +0300 |
| commit | 055b4c04d5cef7029625c08619df4f3bcdccc6c2 (patch) | |
| tree | 4a363915e4878c17f5a6ffef6010a4bf0e3b8b76 | |
| parent | 85f1126ea6f09296e4e5106d7d8319e93aeedf3c (diff) | |
Add latest changes from gitlab-org/gitlab@master
45 files changed, 478 insertions, 214 deletions
diff --git a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue index e2f301b1911..d5424179ba6 100644 --- a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue +++ b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue @@ -263,12 +263,16 @@ export default { 'merged', 'closed', 'merging', - 'autoMergeEnabled', 'shaMismatch', - ].includes(this.mr.state) || ['MERGING', 'AUTO_MERGE'].includes(this.mr.machineValue) + ].includes(this.mr.state) || this.mr.machineValue === 'MERGING' ) ); }, + autoMergeStateVisible() { + if (!window.gon?.features?.mergeBlockedComponent) return false; + + return this.mr.state === 'autoMergeEnabled' || this.mr.machineValue === 'AUTO_MERGE'; + }, }, watch: { 'mr.machineValue': { @@ -577,6 +581,12 @@ export default { </div> <div class="mr-widget-section" data-testid="mr-widget-content"> + <mr-widget-auto-merge-enabled + v-if="autoMergeStateVisible" + :mr="mr" + :service="service" + class="gl-border-b-1 gl-border-b-solid gl-border-gray-100" + /> <merge-checks v-if="mergeBlockedComponentEnabled" :mr="mr" :service="service" /> <component :is="componentName" v-else :mr="mr" :service="service" /> <ready-to-merge diff --git a/app/helpers/registrations_helper.rb b/app/helpers/registrations_helper.rb index 12f7bd41968..4ac14894057 100644 --- a/app/helpers/registrations_helper.rb +++ b/app/helpers/registrations_helper.rb @@ -12,7 +12,7 @@ module RegistrationsHelper end # overridden in EE - def oauth_tracking_label; end + def registration_tracking_label; end # overridden in EE def register_omniauth_params(_local_assigns) diff --git a/app/models/ci/catalog/resources/version.rb b/app/models/ci/catalog/resources/version.rb index 0ea2735b030..47c6612f726 100644 --- a/app/models/ci/catalog/resources/version.rb +++ b/app/models/ci/catalog/resources/version.rb @@ -29,6 +29,7 @@ module Ci delegate :sha, :released_at, :author_id, to: :release + before_create :sync_with_release after_destroy :update_catalog_resource after_save :update_catalog_resource @@ -131,8 +132,19 @@ module Ci project.repository.tree(sha).readme end + def sync_with_release! + sync_with_release + save! + end + private + # This column is denormalized from `releases`. It is first synced when a new version + # is created. Any updates to the column are synced via Release model callback. + def sync_with_release + self.released_at = release.released_at + end + def update_catalog_resource catalog_resource.update_latest_released_at! end diff --git a/app/models/release.rb b/app/models/release.rb index 7bacc69f038..6f32b0e50d5 100644 --- a/app/models/release.rb +++ b/app/models/release.rb @@ -25,8 +25,7 @@ class Release < ApplicationRecord accepts_nested_attributes_for :links, allow_destroy: true before_create :set_released_at - # TODO: Remove this callback after catalog_resource.released_at is denormalized. See https://gitlab.com/gitlab-org/gitlab/-/issues/430117. - after_update :update_catalog_resource, if: -> { project.catalog_resource && saved_change_to_released_at? } + after_update :update_catalog_resource_version, if: -> { catalog_resource_version && saved_change_to_released_at? } after_destroy :update_catalog_resource, if: -> { project.catalog_resource } validates :project, :tag, presence: true @@ -184,6 +183,10 @@ class Release < ApplicationRecord end end + def update_catalog_resource_version + catalog_resource_version.sync_with_release! + end + def update_catalog_resource project.catalog_resource.update_latest_released_at! end diff --git a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json index 9cfb62d4439..fe263a55958 100644 --- a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json +++ b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json @@ -12,7 +12,7 @@ }, { "field": "SAST_EXCLUDED_PATHS", - "label": "Excluded Paths", + "label": "Excluded paths", "type": "string", "default_value": "", "value": "", @@ -32,12 +32,12 @@ }, { "field": "SEARCH_MAX_DEPTH", - "label": "Search Maximum Depth", + "label": "Search maximum depth", "type": "string", "default_value": "", "value": "", "size": "SMALL", - "description": "Specifies the number of directory levels to be included in the repository search phase during SAST analysis. SAST scanner searches through the repository to detect the programming languages used and selects the corresponding analyzers. After that, the entire repository is analyzed." + "description": "Specifies the number of directory levels searched to identify programming languages and frameworks. This determines which analyzers to run against the entire repository." } ], "analyzers": [ diff --git a/app/views/devise/registrations/new.html.haml b/app/views/devise/registrations/new.html.haml index ec85c680f7f..c176f96db25 100644 --- a/app/views/devise/registrations/new.html.haml +++ b/app/views/devise/registrations/new.html.haml @@ -14,5 +14,6 @@ = render 'devise/shared/signup_box', url: registration_path(resource_name, registration_path_params), button_text: _('Register'), - show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled? + show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?, + tracking_label: registration_tracking_label = render 'devise/shared/sign_in_link' diff --git a/app/views/devise/shared/_signup_box.html.haml b/app/views/devise/shared/_signup_box.html.haml index 9eb0b773ebb..b875d245fec 100644 --- a/app/views/devise/shared/_signup_box.html.haml +++ b/app/views/devise/shared/_signup_box.html.haml @@ -4,4 +4,5 @@ = render 'devise/shared/signup_box_form', button_text: button_text, url: url, - show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled? + show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?, + tracking_label: tracking_label diff --git a/app/views/devise/shared/_signup_box_form.html.haml b/app/views/devise/shared/_signup_box_form.html.haml index 2920aeecce0..772b981db4d 100644 --- a/app/views/devise/shared/_signup_box_form.html.haml +++ b/app/views/devise/shared/_signup_box_form.html.haml @@ -73,7 +73,7 @@ - elsif show_recaptcha_sign_up? = recaptcha_tags nonce: content_security_policy_nonce - = render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true, button_options: { data: { testid: 'new-user-register-button' }}) do + = render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true, button_options: { data: { testid: 'new-user-register-button', track_action: 'register', track_label: tracking_label }}) do = button_text = render 'devise/shared/terms_of_service_notice', button_text: button_text diff --git a/app/views/devise/shared/_signup_omniauth_providers.haml b/app/views/devise/shared/_signup_omniauth_providers.haml index 263e11ab341..aa80f0af32d 100644 --- a/app/views/devise/shared/_signup_omniauth_providers.haml +++ b/app/views/devise/shared/_signup_omniauth_providers.haml @@ -1,3 +1,3 @@ = render 'devise/shared/signup_omniauth_provider_list', providers: enabled_button_based_providers, - tracking_label: oauth_tracking_label + tracking_label: registration_tracking_label diff --git a/data/whats_new/202401180001_16_8.yml b/data/whats_new/202401180001_16_8.yml new file mode 100644 index 00000000000..7869f12e4a8 --- /dev/null +++ b/data/whats_new/202401180001_16_8.yml @@ -0,0 +1,85 @@ +- name: GCP Secret Manager support + description: | + Secrets stored in GCP Secrets Manager can now be easily retrieved and used in CI/CD jobs. Our new integration simplifies the process of interacting with GCP Secrets Manager through GitLab CI/CD, helping you streamline your build and deploy processes! This is just one of the many ways [GitLab and Google Cloud are better together](https://about.gitlab.com/blog/2023/08/29/gitlab-google-partnership-s3c/)! + stage: Verify + self-managed: true + gitlab-com: true + available_in: [Premium, Ultimate] + documentation_link: https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html + image_url: https://about.gitlab.com/images/16_8/gcp_secrets_mgr.png + published_at: 2024-01-18 + release: 16.8 + +- name: Speed up your builds with the Maven dependency proxy + description: | + A typical software project relies on a variety of dependencies, which we call packages. Packages can be internally built and maintained, or sourced from a public repository. Based on our user research, we've learned that most projects use a 50/50 mix of public and private packages. Package installation order is very important, as using an incorrect package version can introduce breaking changes and security vulnerabilities into your pipelines. + + Now you can add one external Java repository to your GitLab project. After adding it, when you install a package using the dependency proxy, GitLab first checks for the package in the project. If it's not found, GitLab then attempts to pull the package from the external repository. + + When a package is pulled from the external repository, it's imported into the GitLab project. The next time that particular package is pulled, it's pulled from GitLab and not the external repository. Even if the external repository is having connectivity issues and the package is present in the dependency proxy, pulling the package still works, making your pipelines faster and more reliable. + + If the package changes in the external repository (for example, a user deletes a version and publishes a new one with different files) the dependency proxy detects it. It invalidates the package, so GitLab pulls the newer one. This ensures the correct packages are downloaded, and helps reduce security vulnerabilities. + stage: Package + self-managed: true + gitlab-com: true + available_in: [Premium, Ultimate] + documentation_link: https://docs.gitlab.com/ee/user/packages/package_registry/dependency_proxy/ + image_url: https://img.youtube.com/vi/9NPTXObsSrE/hqdefault.jpg + published_at: 2024-01-18 + release: 16.8 + +- name: Workspaces are now generally available + description: | + We're thrilled to share that workspaces are now generally available and ready to improve your developer efficiency! + + By creating secure, on-demand remote development environments, you can reduce the time you spend managing dependencies and onboarding new developers and focus on delivering value faster. With our platform-agnostic approach, you can use your existing cloud infrastructure to host your workspaces and keep your data private and secure. + + Since their introduction in GitLab 16.0, workspaces have received improvements to error handling and reconciliation, support for private projects and SSH connections, additional configuration options, and a new administrator interface. These improvements mean that workspaces are now more flexible, more resilient, and more easily managed at scale. + stage: Create + self-managed: true + gitlab-com: true + available_in: [Premium, Ultimate] + documentation_link: https://docs.gitlab.com/ee/user/workspace/ + image_url: https://about.gitlab.com/images/16_8/workspaces-ga.png + published_at: 2024-01-18 + release: 16.8 + +- name: Enforce 2FA for GitLab administrators + description: | + You can now enforce whether GitLab administrators are required to use two-factor authentication (2FA) in their self-managed instance. It is good security practice to use 2FA for all accounts, especially for privileged accounts like administrators. If this setting is enforced, and an administrator does not already use 2FA, they must set 2FA up on their next sign-in. + stage: Govern + self-managed: true + gitlab-com: false + available_in: [Free, Premium, Ultimate] + documentation_link: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-administrator-users + image_url: https://img.youtube.com/vi/fHleeXzoB6k/hqdefault.jpg + published_at: 2024-01-18 + release: 16.8 + +- name: Deeper insights into velocity in the Issue Analytics report + description: | + The **Issue Analytics** report now contains information on the number of closed issues in a month to allow for a detailed velocity analysis. With this valuable addition, GitLab users can now gain insights into trends associated with their projects, and improve the overall turn-around time and value delivered to their customers. The **Issue Analytics** visualization contains a bar chart with the number of issues for each month, with a default time span of 13 months. You can access this chart from the drill-down in the [Value Streams Dashboard](https://docs.gitlab.com/ee/user/analytics/value_streams_dashboard.html#dashboard-metrics-and-drill-down-reports). + stage: Plan + self-managed: true + gitlab-com: true + available_in: [Ultimate] + documentation_link: https://docs.gitlab.com/ee/user/group/issues_analytics/index.html + image_url: https://about.gitlab.com/images/16_8/closed_issues_analytics.png + published_at: 2024-01-18 + release: 16.8 + +- name: New organization-level DevOps view with DORA-based industry benchmarks + description: | + We added a new **DORA Performers score** panel to the [Value Streams Dashboard](https://www.youtube.com/watch?v=EA9Sbks27g4) to visualize the status of the organization's DevOps performance across different projects. This new visualization displays a breakdown of the DORA score (high, medium, or low) so that executives can understand the organization's DevOps health top to bottom. + + The [four DORA metrics](https://about.gitlab.com/solutions/value-stream-management/dora/#overview) are available out-of-the-box in GitLab, and now with the new DORA scores organizations can compare their DevOps performance against [industry benchmarks](https://dora.dev/) or peers. This benchmarking helps executives understand where they stand in relation to others, and identify best practices or areas where they might be lagging behind. + + To help us improve the Value Streams Dashboard, please share feedback about your experience in this [survey](https://gitlab.fra1.qualtrics.com/jfe/form/SV_50guMGNU2HhLeT4). + stage: Plan + self-managed: true + gitlab-com: true + available_in: [Ultimate] + documentation_link: https://docs.gitlab.com/ee/user/analytics/value_streams_dashboard.html#dora-performers-score-panel + image_url: https://about.gitlab.com/images/16_8/16.8_vsd_dora.png + published_at: 2024-01-18 + release: 16.8 diff --git a/doc/administration/index.md b/doc/administration/index.md index fcda1c4b413..4b98999fb6d 100644 --- a/doc/administration/index.md +++ b/doc/administration/index.md @@ -9,12 +9,10 @@ description: 'Learn how to install, configure, update, and maintain your GitLab Learn how to administer a self-managed GitLab instance. -- [Get started](../administration/get_started.md) -- [All feature flags](../user/feature_flags.md) -- [Configure your installation](../administration/configure.md) -- [Configure GitLab Dedicated](../administration/dedicated/index.md) -- [Maintain your installation](../administration/operations/index.md) -- [Secure your installation](../security/index.md) -- [Administer users](../user/profile/account/create_accounts.md) +| | | | +|--|--|--| +| [**Get started**](../administration/get_started.md) **{chevron-right}**<br><br>Administration overview. | [**All feature flags**](../user/feature_flags.md) **{chevron-right}**<br><br>Complete list of flags. | [**Authentication and authorization**](../administration/auth/index.md) **{chevron-right}**<br><br>Third-party authentication providers. | +| [**Configure your installation**](../administration/configure.md) **{chevron-right}**<br><br>Installation settings. | [**Update your Admin Area settings**](../administration/settings/index.md) **{chevron-right}**<br><br>Product settings. | [**Configure GitLab Dedicated**](../administration/dedicated/index.md) **{chevron-right}**<br><br>IP allowlists, SAML, maintenance. | +| [**Maintain your installation**](../administration/operations/index.md) **{chevron-right}**<br><br>Backup and restore, move repos, maintenance tasks. | [**Secure your application**](../user/application_security/secure_your_application.md) **{chevron-right}**<br><br>SSH key limits, 2FA, tokens, hardening. | [**Administer users**](../user/profile/account/create_accounts.md) **{chevron-right}**<br><br>Passwords, user moderation, broadcast messages. | Only GitLab team members have access to administration tools and settings on GitLab.com. diff --git a/doc/architecture/blueprints/permissions/index.md b/doc/architecture/blueprints/permissions/index.md index c131c372550..ced320f5257 100644 --- a/doc/architecture/blueprints/permissions/index.md +++ b/doc/architecture/blueprints/permissions/index.md @@ -17,7 +17,7 @@ static [role-based access control system](../../../user/permissions.md#roles). In %15.9, we [announced](https://about.gitlab.com/blog/2023/03/08/expanding-guest-capabilities-in-gitlab-ultimate/) a customer MVC of the custom roles feature. The MVC introduced the ability to -add one single permission (`read_code`) to a custom role based on a standard +add one single permission (`read_code`) to a custom role based on a default GitLab Guest role. The MVC was [implemented](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106256) by taking an existing permission from the GitLab authorization framework and enabling it if a custom role has it set to `true`. @@ -42,7 +42,7 @@ a path for addressing them. ## What are custom roles? -Our permissions system supports 6 pre-defined roles (Guest, Reporter, Developer, Maintainer, Owner) and users are assigned to per project or group, they can't be modified. Custom roles should solve the problem that our current system is static. +Our permissions system supports six default roles (Guest, Reporter, Developer, Maintainer, Owner) and users are assigned to per project or group, they can't be modified. Custom roles should solve the problem that our current system is static. With custom roles, customers can define their own roles and give them permissions they want to. For every role they create they can assign set of permissions. For example, a newly created role "Engineer" could have `read code` and `admin merge requests` enabled but abilities such as `admin issues` disabled. @@ -139,7 +139,7 @@ Cons: - Maintaining 2 systems - Each new "regular" permission added needs a parallel addition to the custom roles system. This makes it difficult to have feature parity between - custom roles and static roles. + custom roles and default roles. - Replacing our existing RBAC system with custom roles (an eventual goal of the custom roles feature) is more difficult with this approach because it requires retiring the legacy permissions system. @@ -157,16 +157,16 @@ Cons: enable granular access. - Each new "regular" permission added needs a parallel addition to the bundled permissions for custom roles. This makes it difficult to have feature - parity between custom roles and static roles. + parity between custom roles and default roles. ## Glossary - **RBAC**: Role-based access control; "a method of restricting network access based on the roles of individual users." RBAC is the method of access control that GitLab uses. -- **Static roles**: the 5 categories that GitLab users can be grouped into: Guest, +- **Default roles**: the 5 categories that GitLab users can be grouped into: Guest, Reporter, Developer, Maintainer, Owner ([documentation](../../../user/permissions.md#roles)). - A static role can be thought of as a group of permissions. + A default role can be thought of as a group of permissions. - **Declarative Policy**: [code library](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/) used by GitLab to define our authorization logic. - **Permissions**: a specific ability that a user with a Role has. For example, a @@ -175,7 +175,7 @@ Cons: represents a "permission" but these may not have a 1:1 mapping with a Declarative Policy [ability](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/doc/defining-policies.md#invocation). An ability is how permissions are represented in the GitLab codebase. -- **Access level**: integer value representing a static role, used for determining access and calculating inherited user access in group hierarchies ([documentation](../../../api/access_requests.md#valid-access-levels)). +- **Access level**: integer value representing a default role, used for determining access and calculating inherited user access in group hierarchies ([documentation](../../../api/access_requests.md#valid-access-levels)). ## Resources diff --git a/doc/ci/runners/index.md b/doc/ci/runners/index.md index bfb30a36be2..7fb7db3d829 100644 --- a/doc/ci/runners/index.md +++ b/doc/ci/runners/index.md @@ -38,6 +38,12 @@ When you use SaaS runners: NOTE: Jobs handled by SaaS runners on GitLab.com **time out after 3 hours**, regardless of the timeout configured in a project. +## Release cycle for SaaS runner + +We aim to update to the latest version of [GitLab Runner](https://docs.gitlab.com/runner/#gitlab-runner-versions) within a week of its release. + +You can find all GitLab Runner breaking changes under [Deprecations and removals](../../update/deprecations.md). + ## Security for SaaS runners GitLab SaaS runners on Linux and Windows run on Google Compute Platform. @@ -71,7 +77,7 @@ takes over the task of securely deleting the virtual machine and associated data ## Supported image lifecycle -For runners on macOS and Windows, you can only run jobs on supported images. You cannot bring your own image. Supported images have the following lifecycle: +SaaS runners on macOS and Windows can only run jobs on supported images. You cannot bring your own image. Supported images have the following lifecycle: - Beta - Generally Available @@ -100,33 +106,3 @@ Jobs running on GA images are covered by the defined service-level agreement. Ov A maximum of two Generally Available (GA) images are supported at a time. After a new GA image is released, the oldest GA image becomes deprecated. A deprecated image is no longer updated and is deleted after 3 months in accordance with the [deprecation guidelines](../../development/deprecation_guidelines/index.md). - -## Major version changes (breaking) - -As GitLab CI/CD and Runner have evolved, certain breaking changes have been necessary. - -For GitLab 15.0 and later, all breaking changes are documented on the following page: - -- [Deprecations and removals](../../update/deprecations.md) - -The breaking changes for GitLab Runner in earlier major version releases are: - -- 14.0: No breaking changes. -- 13.0: - - [Remove Backported `os.Expand`](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4915). - - [Remove Fedora 29 package support](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/16158). - - [Remove macOS 32-bit support](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25466). - - [Removed `debug/jobs/list?v=1` endpoint](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6361). - - [Remove support for array of strings when defining services for Docker executor](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4922). - - [Remove `--docker-services` flag on register command](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6404). - - [Remove legacy build directory caching](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4180). - - [Remove `FF_USE_LEGACY_VOLUMES_MOUNTING_ORDER` feature flag](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6581). - - [Remove support for Windows Server 1803](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6553). -- 12.0: - - [Use `refspec` to clone/fetch Git repository](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4069). - - [Old cache configuration](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4070). - - [Old metrics server configuration](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4072). - - [Remove `FF_K8S_USE_ENTRYPOINT_OVER_COMMAND`](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4073). - - [Remove Linux distributions that reach EOL](https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1130). - - [Update command line API for helper images](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4013). - - [Remove old `git clean` flow](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4175). diff --git a/doc/ci/runners/saas/macos_saas_runner.md b/doc/ci/runners/saas/macos_saas_runner.md index 0251c523864..d48e542699e 100644 --- a/doc/ci/runners/saas/macos_saas_runner.md +++ b/doc/ci/runners/saas/macos_saas_runner.md @@ -45,14 +45,12 @@ If no image is specified, the macOS runner uses `macos-13-xcode-14`. ## Image update policy for macOS -macOS and Xcode follow a yearly release cadence, during which GitLab increments its versions synchronously. GitLab typically supports multiple versions of preinstalled tools. For more information, see the [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain). +The images and installed components are updated with each GitLab release, to keep the preinstalled software up-to-date. GitLab typically supports multiple versions of preinstalled software. For more information, see the [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain). -When Apple releases a new macOS version, GitLab releases a new `stable` image based on the OS in the next release, -which is in Beta. +Major and minor releases of macOS and Xcode, are made available within two weeks of Apple's release. -With the release of the first patch to macOS, the `stable` image becomes Generally Available (GA). As only two GA images are supported at a time, the prior OS version becomes deprecated and is deleted after three months in accordance with the [supported image lifecycle](../index.md#supported-image-lifecycle). - -The `stable` images and installed components are updated every release, to keep the preinstalled software up-to-date. +A new major release image is initially made available as Beta, and becomes Generally Available (GA) with the release of the first minor release. +Because only two GA images are supported at a time, the oldest image becomes deprecated and will be removed after three months according to the [supported image lifecycle](../index.md#supported-image-lifecycle). ## Example `.gitlab-ci.yml` file diff --git a/doc/ci/runners/saas/windows_saas_runner.md b/doc/ci/runners/saas/windows_saas_runner.md index fd1d5ba1ab7..8fd502e8a3d 100644 --- a/doc/ci/runners/saas/windows_saas_runner.md +++ b/doc/ci/runners/saas/windows_saas_runner.md @@ -10,8 +10,7 @@ SaaS runner on Windows autoscale by launching virtual machines on the Google Cloud Platform. This solution uses an [autoscaling driver](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/autoscaler/-/blob/main/docs/README.md) developed by GitLab for the [custom executor](https://docs.gitlab.com/runner/executors/custom.html). - -These SaaS runners are in [Beta](../../../policy/experiment-beta-support.md#beta) +SaaS runners on Windows are in [Beta](../../../policy/experiment-beta-support.md#beta) and aren't recommended for production workloads. We want to keep iterating to get Windows runners in a stable state and @@ -21,27 +20,27 @@ You can follow our work towards this goal in the ## Machine types available for Windows -| Runner Tag | vCPUs | Memory | Storage | -| ---------------------- | ----- | ------ | ------- | -| `shared-windows` | 2 | 7.5 GB | 75 GB | +| Runner Tag | vCPUs | Memory | Storage | +| --------------------------- | ----- | ------ | ------- | +| `saas-windows-medium-amd64` | 2 | 7.5 GB | 75 GB | ## Supported Windows versions The Windows runner virtual machine instances do not use the GitLab Docker executor. This means that you can't specify [`image`](../../../ci/yaml/index.md#image) or [`services`](../../../ci/yaml/index.md#services) in your pipeline configuration. -Instead you have to select the [`tags`](../../../ci/yaml/index.md#tags) for the desired Windows version. You can execute your job in one of the following Windows versions: -| Version tag | Status | -|----------------|---------------| -| `windows-1809` | `Beta` | +| Version | Status | +|--------------|---------------| +| Windows 2022 | `Beta` | +| Windows 2019 | `Deprecated` (Removal in 17.0) | You can find a full list of available pre-installed software in the [pre-installed software documentation](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/gcp/windows-containers/blob/main/cookbooks/preinstalled-software/README.md). NOTE: -Each time you run a job that requires tooling or dependencies not available in the base image, those components must be installed to the newly provisioned VM increasing the total job duration. +We are only supporting a single version of Windows at this time. ## Supported shell @@ -53,29 +52,24 @@ The `script` section of your `.gitlab-ci.yml` file therefore requires PowerShell Below is a sample `.gitlab-ci.yml` file that shows how to start using the runners for Windows: ```yaml -.shared_windows_runners: +.windows_job: tags: - - shared-windows - - windows-1809 + - saas-windows-medium-amd64 before_script: - Set-Variable -Name "time" -Value (date -Format "%H:%m") - echo ${time} - echo "started by ${GITLAB_USER_NAME}" -stages: - - build - - test - build: extends: - - .shared_windows_runners + - .windows_job stage: build script: - echo "running scripts in the build job" test: extends: - - .shared_windows_runners + - .windows_job stage: test script: - echo "running scripts in the test job" diff --git a/doc/development/documentation/styleguide/word_list.md b/doc/development/documentation/styleguide/word_list.md index 2160c01247d..2185d77e056 100644 --- a/doc/development/documentation/styleguide/word_list.md +++ b/doc/development/documentation/styleguide/word_list.md @@ -604,6 +604,10 @@ Instead of: Do not use **e-mail** with a hyphen. When plural, use **emails** or **email messages**. ([Vale](../testing.md#vale) rule: [`SubstitutionSuggestions.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/SubstitutionSuggestions.yml)) +## email address + +Use **email address** when referring to addresses used in emails. Do not shorten to **email**, which are messages. + ## emoji Use **emoji** to refer to the plural form of **emoji**. @@ -984,6 +988,11 @@ Thereafter, use **Issue description generation** by itself. Use lowercase for **issue weights**. +## IP address + +Use **IP address** when refering to addresses used with Internet Protocal (IP). Do not refer to an IP address as an +**IP**. + ## it When you use the word **it**, ensure the word it refers to is obvious. diff --git a/doc/development/permissions/custom_roles.md b/doc/development/permissions/custom_roles.md index b8f6eba3340..7a0d325d09a 100644 --- a/doc/development/permissions/custom_roles.md +++ b/doc/development/permissions/custom_roles.md @@ -15,16 +15,16 @@ In this context, the terms "permission" and "ability" are often used interchange - "Ability" is an action a user can do. These map to [Declarative Policy abilities](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/doc/defining-policies.md#rules) and live in Policy classes in `ee/app/policies/*`. - "Permission" is how we refer to an ability [in user-facing documentation](../../user/permissions.md). The documentation of permissions is manually generated so there is not necessarily a 1:1 mapping of the permissions listed in documentation and the abilities defined in Policy classes. -## Custom roles vs static roles +## Custom roles vs default roles -In GitLab 15.9 and earlier, GitLab only had [static roles](predefined_roles.md) as a permission system. In this system, there are a few predefined roles that are statically assigned to certain abilities. These static roles are not customizable by customers. +In GitLab 15.9 and earlier, GitLab only had [default roles](predefined_roles.md) as a permission system. In this system, there are a few predefined roles that are statically assigned to certain abilities. These default roles are not customizable by customers. With custom roles, the customers can decide which abilities they want to assign to certain user groups. For example: -- In the static role system, reading of vulnerabilities is limited to a Developer role. -- In the custom role system, a customer can assign this ability to a new custom role based on any static role. +- In the default role system, reading of vulnerabilities is limited to a Developer role. +- In the custom role system, a customer can assign this ability to a new custom role based on any default role. -Like static roles, custom roles are [inherited](../../user/project/members/index.md#inherited-membership) within a group hierarchy. If a user has custom role for a group, that user will also have a custom role for any projects or subgroups within the group. +Like default roles, custom roles are [inherited](../../user/project/members/index.md#inherited-membership) within a group hierarchy. If a user has custom role for a group, that user will also have a custom role for any projects or subgroups within the group. ## Technical overview @@ -34,7 +34,7 @@ Like static roles, custom roles are [inherited](../../user/project/members/index - A Group or project membership can be associated with any custom role that is defined on the root-level group of the group or project. - The `member_roles` table includes individual permissions and a `base_access_level` value. - The `base_access_level` must be a [valid access level](../../api/access_requests.md#valid-access-levels). - The `base_access_level` determines which abilities are included in the custom role. For example, if the `base_access_level` is `10`, the custom role will include any abilities that a static Guest role would receive, plus any additional abilities that are enabled by the `member_roles` record by setting an attribute, such as `read_code`, to true. + The `base_access_level` determines which abilities are included in the custom role. For example, if the `base_access_level` is `10`, the custom role will include any abilities that a default Guest role would receive, plus any additional abilities that are enabled by the `member_roles` record by setting an attribute, such as `read_code`, to true. - A custom role can enable additional abilities for a `base_access_level` but it cannot disable a permission. As a result, custom roles are "additive only". The rationale for this choice is [in this comment](https://gitlab.com/gitlab-org/gitlab/-/issues/352891#note_1059561579). - Custom role abilities are supported at project level and group level. diff --git a/doc/security/index.md b/doc/security/index.md index ffc436e4286..42681709e93 100644 --- a/doc/security/index.md +++ b/doc/security/index.md @@ -7,27 +7,62 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Secure your installation **(FREE ALL)** -- [Passwords and OAuth tokens storage](password_storage.md) -- [Password length limits](password_length_limits.md) -- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md) -- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) -- [Rate limits](rate_limits.md) -- [Filtering outbound requests](webhooks.md) -- [Information exclusivity](information_exclusivity.md) -- [Reset user password](reset_user_password.md) -- [Unlock a locked user](unlock_user.md) -- [User File Uploads](user_file_uploads.md) -- [How we manage the CRIME vulnerability](crime_vulnerability.md) -- [Enforce Two-factor authentication](two_factor_authentication.md) +## General Information + +This section covers some general information and recommendations regarding the platform. + +- [How passwords and OAuth tokens are stored](password_storage.md). +- [How passwords for users created through integrated authentication are generated](passwords_for_integrated_authentication_methods.md). +- [How we manage the CRIME vulnerability](crime_vulnerability.md). +- [Secrets for third-party integrations should be rotated regularly](rotate_integrations_secrets.md). + +## Recommendations + +The [Hardening Guide](hardening.md) contains additional general recommendations that can be implemented for hardening an install. + +### User Accounts + +- [Review authentication options](../administration/auth/index.md). +- [Configure password length limits](password_length_limits.md). +- [Restrict SSH key technologies and require minimum key lengths](ssh_keys_restrictions.md). +- [Restrict account creation with sign up restrictions](../administration/settings/sign_up_restrictions.md). - [Send email confirmation on sign-up](user_email_confirmation.md) -- [Security of running jobs](https://docs.gitlab.com/runner/security/) -- [Proxying images](asset_proxy.md) -- [CI/CD variables](../ci/variables/index.md#cicd-variable-security) -- [Token overview](token_overview.md) -- [Rotate secrets of third-party integrations](rotate_integrations_secrets.md) -- [Maximum decompressed file size for imported archives](../administration/settings/import_and_export_settings.md#maximum-decompressed-file-size-for-imported-archives) -- [Responding to security incidents](responding_to_security_incidents.md) +- [Enforce two-factor authentication](two_factor_authentication.md) to require users to [enable two-factor authentication](../user/profile/account/two_factor_authentication.md). +- [Restrict logins from multiple IPs](../administration/reporting/ip_addr_restrictions.md). +- [How to reset a user password](reset_user_password.md). +- [How to unlock a locked user](unlock_user.md). + +### Data Access + +- [Information exclusivity](information_exclusivity.md). +- [Protecting and removing user file uploads](user_file_uploads.md). +- [Proxying linked images for user privacy](asset_proxy.md). -To harden your GitLab instance and minimize the risk of unwanted user account creation, consider access control features like [Sign up restrictions](../administration/settings/sign_up_restrictions.md) and [Authentication options](../administration/auth/index.md). For more detailed information, refer to [Hardening](hardening.md). +### Platform Usage & Settings + +- [Review GitLab token type and usages](token_overview.md). +- [How to configure rate limits improve security and availability](rate_limits.md). +- [How to filter outbound webhook requests](webhooks.md). +- [How to configure import and export limits and timeouts](../administration/settings/import_and_export_settings.md). +- [Review Runner security considerations and recommendations](https://docs.gitlab.com/runner/security/). +- [Review CI/CD variables security considerations](../ci/variables/index.md#cicd-variable-security). +- [Review pipeline security for usage and protection of secrets in CI/CD Pipelines](../ci/pipelines/pipeline_security.md). + +### Patching Self-managed GitLab customers and administrators are responsible for the security of their underlying hosts, and for keeping GitLab itself up to date. It is important to [regularly patch GitLab](../policy/maintenance.md), patch your operating system and its software, and harden your hosts in accordance with vendor guidance. + +## Monitoring + +### Logs + +- [Review the log types and contents produced by GitLab](../administration/logs/index.md). +- [Review Runner job logs information](../administration/job_logs.md). +- [How to use correlation ID to trace logs](../administration/logs/tracing_correlation_id.md). +- [Logging configuration and access](https://docs.gitlab.com/omnibus/settings/logs.html). +- [How to configure Audit Event Streaming](../administration/audit_event_streaming/index.md). +- [Providing assistance to GitLab.com customers during customer-based security incidents](https://handbook.gitlab.com/handbook/security/customer-requests/#conditions-and-requirements). + +## Response + +- [Responding to security incidents](responding_to_security_incidents.md). diff --git a/doc/user/permissions.md b/doc/user/permissions.md index 84e9533f725..36e1ae1e0c8 100644 --- a/doc/user/permissions.md +++ b/doc/user/permissions.md @@ -16,10 +16,11 @@ GitLab [administrators](../administration/index.md) have all permissions. ## Roles -The available roles are: +You can assign users a default role or a [custom role](custom_roles.md). + +The available default roles are: - Guest (This role applies to [private and internal projects](../user/public_access.md) only.) -- [Custom](custom_roles.md) - Reporter - Developer - Maintainer diff --git a/doc/user/project/repository/branches/index.md b/doc/user/project/repository/branches/index.md index d6bcae57322..5efa834d74a 100644 --- a/doc/user/project/repository/branches/index.md +++ b/doc/user/project/repository/branches/index.md @@ -121,6 +121,9 @@ To view and manage your branches in the GitLab user interface: On this page, you can: - See all branches, or filter to see only active or stale branches. + + A branch is considered active if a commit has been made to it in the last three months. + Otherwise it is considered stale. - Create new branches. - [Compare branches](#compare-branches). - Delete merged branches. diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb index 2b3bc85ae6d..a53b82c63b7 100644 --- a/lib/backup/manager.rb +++ b/lib/backup/manager.rb @@ -264,9 +264,17 @@ module Backup def build_backup_information return if @metadata.backup_information + backup_created_at = Time.current + backup_id = if options.backup_id.present? + File.basename(options.backup_id) + else + "#{backup_created_at.strftime('%s_%Y_%m_%d_')}#{Gitlab::VERSION}" + end + @metadata.update( + backup_id: backup_id, db_version: ActiveRecord::Migrator.current_version.to_s, - backup_created_at: Time.current, + backup_created_at: backup_created_at, gitlab_version: Gitlab::VERSION, tar_version: tar_version, installation_type: Gitlab::INSTALLATION_TYPE, @@ -279,10 +287,18 @@ module Backup end def update_backup_information + backup_created_at = Time.current + backup_id = if options.backup_id.present? + File.basename(options.backup_id) + else + "#{backup_created_at.strftime('%s_%Y_%m_%d_')}#{Gitlab::VERSION}" + end + @metadata.update( + backup_id: backup_id, full_backup_id: full_backup_id, db_version: ActiveRecord::Migrator.current_version.to_s, - backup_created_at: Time.current, + backup_created_at: backup_created_at, gitlab_version: Gitlab::VERSION, tar_version: tar_version, installation_type: Gitlab::INSTALLATION_TYPE, @@ -511,7 +527,12 @@ module Backup end def backup_id - if options.backup_id.present? + # Eventually the backup ID should only be fetched from + # backup_information, but we must have a fallback so that older backups + # can still be used. + if backup_information[:backup_id].present? + backup_information[:backup_id] + elsif options.backup_id.present? File.basename(options.backup_id) else "#{backup_information[:backup_created_at].strftime('%s_%Y_%m_%d_')}#{backup_information[:gitlab_version]}" diff --git a/lib/backup/metadata.rb b/lib/backup/metadata.rb index aaee326058b..53d8bb271e4 100644 --- a/lib/backup/metadata.rb +++ b/lib/backup/metadata.rb @@ -28,6 +28,7 @@ module Backup :repositories_paths, # ENV['REPOSITORIES_PATHS'], :skip_repositories_paths, # ENV['SKIP_REPOSITORIES_PATHS'], :repositories_server_side, # Gitlab::Utils.to_boolean(ENV['REPOSITORIES_SERVER_SIDE'], default: false) + :backup_id, # ENV['BACKUP'] or calculated based on backup_created_at and Gitlab::VERSION :full_backup_id, # full_backup_id, keyword_init: true ) diff --git a/lib/gitlab/pagination/keyset/order.rb b/lib/gitlab/pagination/keyset/order.rb index a7faef2fdad..5a44111b7bb 100644 --- a/lib/gitlab/pagination/keyset/order.rb +++ b/lib/gitlab/pagination/keyset/order.rb @@ -103,6 +103,8 @@ module Gitlab nil elsif lower_named_function?(column_definition) field_value.downcase + elsif field_value.is_a?(Array) + field_value else field_value.to_s end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 7c2c5075ded..2f1b5d0d392 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -15597,6 +15597,9 @@ msgstr "" msgid "DORA4Metrics|This is a lower-bound approximation. Your group has too many issues and MRs to calculate in real time." msgstr "" +msgid "DORA4Metrics|This visualization is not supported for project namespaces." +msgstr "" + msgid "DORA4Metrics|Time to Restore Service" msgstr "" diff --git a/qa/Rakefile b/qa/Rakefile index 9fc1ff2c0cf..d8b5d6d08d6 100644 --- a/qa/Rakefile +++ b/qa/Rakefile @@ -5,8 +5,9 @@ require_relative "qa" Dir['tasks/*.rake'].each { |file| load file } desc "Deletes subgroups within a provided group" -task :delete_subgroups do - QA::Tools::DeleteSubgroups.new.run +task :delete_subgroups, [:delete_before] do |_, args| + args.with_defaults(delete_before: (Date.today - 3).to_s) + QA::Tools::DeleteSubgroups.new(delete_before: args[:delete_before]).run end desc "Initialize GitLab with an access token" @@ -50,8 +51,9 @@ task :delete_test_ssh_keys, [:title_portion, :delete_before, :dry_run] do |_, ar end desc "Deletes projects directly under the provided group" -task :delete_projects do - QA::Tools::DeleteProjects.new.run +task :delete_projects, [:delete_before] do |_, args| + args.with_defaults(delete_before: (Date.today - 3).to_s) + QA::Tools::DeleteProjects.new(delete_before: args[:delete_before]).run end desc "Deletes test users" diff --git a/qa/qa/tools/delete_projects.rb b/qa/qa/tools/delete_projects.rb index e11ea90dc90..337108f59b4 100644 --- a/qa/qa/tools/delete_projects.rb +++ b/qa/qa/tools/delete_projects.rb @@ -16,16 +16,18 @@ module QA include Support::API include Lib::Project include Lib::Group + include Ci::Helpers - def initialize + def initialize(delete_before: (Date.today - 3).to_s) raise ArgumentError, "Please provide GITLAB_ADDRESS environment variable" unless ENV['GITLAB_ADDRESS'] raise ArgumentError, "Please provide GITLAB_QA_ACCESS_TOKEN environment variable" unless ENV['GITLAB_QA_ACCESS_TOKEN'] @api_client = Runtime::API::Client.new(ENV['GITLAB_ADDRESS'], personal_access_token: ENV['GITLAB_QA_ACCESS_TOKEN']) + @delete_before = Date.parse(delete_before) end def run - $stdout.puts 'Running...' + logger.info("Running...") # Fetch group's id if ENV['CLEANUP_ALL_QA_SANDBOX_GROUPS'] @@ -43,14 +45,17 @@ module QA private def delete_selected_projects(group_id) + return unless group_id + + logger.info("Fetching projects...") projects_head_response = head Runtime::API::Request.new(@api_client, "/groups/#{group_id}/projects", per_page: "100").url total_project_pages = projects_head_response.headers[:x_total_pages] project_ids = fetch_project_ids(group_id, total_project_pages) - $stdout.puts "Number of projects to be deleted: #{project_ids.length}" + logger.info("Number of projects to be deleted: #{project_ids.length}") delete_projects(project_ids, @api_client) unless project_ids.empty? - $stdout.puts "\nDone" + logger.info("\nDone") end def fetch_project_ids(group_id, total_project_pages) @@ -59,7 +64,7 @@ module QA total_project_pages.to_i.times do |page_no| projects_response = get Runtime::API::Request.new(@api_client, "/groups/#{group_id}/projects", page: (page_no + 1).to_s, per_page: "100").url # Do not delete projects that are less than 4 days old (for debugging purposes) - projects_ids.concat(JSON.parse(projects_response.body).select { |project| Date.parse(project["created_at"]) < Date.today - 3 }.pluck("id")) + projects_ids.concat(parse_body(projects_response).select { |project| Date.parse(project[:created_at]) < @delete_before }.pluck(:id)) end projects_ids.uniq diff --git a/qa/qa/tools/delete_subgroups.rb b/qa/qa/tools/delete_subgroups.rb index 35bff409647..c5d5a25f933 100644 --- a/qa/qa/tools/delete_subgroups.rb +++ b/qa/qa/tools/delete_subgroups.rb @@ -23,12 +23,13 @@ module QA include Ci::Helpers include Lib::Group - def initialize + def initialize(delete_before: (Date.today - 3).to_s) raise ArgumentError, "Please provide GITLAB_ADDRESS" unless ENV['GITLAB_ADDRESS'] raise ArgumentError, "Please provide GITLAB_QA_ACCESS_TOKEN" unless ENV['GITLAB_QA_ACCESS_TOKEN'] @api_client = Runtime::API::Client.new(ENV['GITLAB_ADDRESS'], personal_access_token: ENV['GITLAB_QA_ACCESS_TOKEN']) @failed_deletion_attempts = [] + @delete_before = Date.parse(delete_before) end def run @@ -47,7 +48,7 @@ module QA private def delete_subgroups(group_id) - return logger.info('Top level group not found') if group_id.nil? + return unless group_id subgroups = fetch_subgroups(group_id) return logger.info('No subgroups available') if subgroups.empty? @@ -72,8 +73,13 @@ module QA while page_no.present? subgroups_response = get Runtime::API::Request.new(@api_client, api_path, page: page_no, per_page: '100').url - # Do not delete subgroups that are less than 4 days old (for debugging purposes) - subgroups.concat(JSON.parse(subgroups_response.body).select { |subgroup| Date.parse(subgroup["created_at"]) < Date.today - 3 }) + + if subgroups_response.code == HTTP_STATUS_OK + # Do not delete subgroups that are less than 4 days old (for debugging purposes) + subgroups.concat(parse_body(subgroups_response).select { |subgroup| Date.parse(subgroup[:created_at]) < @delete_before }) + else + logger.error("Request for subgroups returned (#{subgroups_response.code}): `#{subgroups_response}` ") + end page_no = subgroups_response.headers[:x_next_page].to_s end @@ -82,7 +88,7 @@ module QA end def subgroup_request(subgroup, **options) - Runtime::API::Request.new(@api_client, "/groups/#{subgroup['id']}", **options).url + Runtime::API::Request.new(@api_client, "/groups/#{subgroup[:id]}", **options).url end def process_response_and_subgroup(response, subgroup, opts = {}) @@ -91,7 +97,7 @@ module QA opts[:save_successes_to] << subgroup if opts[:save_successes_to] else logger.error("Failed - #{response}\n") - @failed_deletion_attempts << { path: subgroup['full_path'], response: response } + @failed_deletion_attempts << { path: subgroup[:full_path], response: response } end end @@ -101,9 +107,9 @@ module QA logger.info("Marking #{subgroups.length} subgroups for deletion...\n") subgroups.each do |subgroup| - path = subgroup['full_path'] + path = subgroup[:full_path] - if subgroup['marked_for_deletion_on'].nil? + if subgroup[:marked_for_deletion_on].nil? logger.info("Marking subgroup #{path} for deletion...") response = delete(subgroup_request(subgroup)) @@ -121,7 +127,7 @@ module QA response = get(subgroup_request(subgroup)) if response.code == 404 - logger.info("Subgroup #{subgroup['full_path']} is no longer available\n") + logger.info("Subgroup #{subgroup[:full_path]} is no longer available\n") false else true @@ -132,7 +138,7 @@ module QA logger.info("Permanently deleting #{subgroups.length} subgroups...\n") subgroups.each do |subgroup| - path = subgroup['full_path'] + path = subgroup[:full_path] next unless subgroup_exists?(subgroup) diff --git a/qa/qa/tools/delete_user_projects.rb b/qa/qa/tools/delete_user_projects.rb index 5fe8e30cb66..2182614c781 100644 --- a/qa/qa/tools/delete_user_projects.rb +++ b/qa/qa/tools/delete_user_projects.rb @@ -94,9 +94,9 @@ module QA total_project_pages.to_i.times do |page_no| projects_response = get Runtime::API::Request.new(@api_client, "/users/#{user_id}/projects", page: (page_no + 1).to_s, per_page: "100").url - projects_ids.concat(JSON.parse(projects_response.body) - .select { |project| Date.parse(project["created_at"]) < @delete_before } - .map { |project| project["id"] }) + projects_ids.concat(parse_body(projects_response) + .select { |project| Date.parse(project[:created_at]) < @delete_before } + .map { |project| project[:id] }) rescue StandardError => e logger.error("Failed to fetch projects for user #{user_id}: #{e.message}") end @@ -123,14 +123,14 @@ module QA next end - parsed_response = JSON.parse(user_response.body) + parsed_response = parse_body(user_response) if parsed_response.empty? logger.error("User #{qa_username} not found") next end - user_ids << parsed_response.first["id"] + user_ids << parsed_response.first[:id] rescue StandardError => e logger.error("Failed to fetch user ID for #{qa_username}: #{e.message}") end @@ -140,8 +140,8 @@ module QA def fetch_qa_username(user_id) response = get Runtime::API::Request.new(@api_client, "/users/#{user_id}").url - parsed_response = JSON.parse(response.body) - parsed_response["username"] + parsed_response = parse_body(response) + parsed_response[:username] end def set_api_client(token) diff --git a/qa/qa/tools/lib/group.rb b/qa/qa/tools/lib/group.rb index 5f154906073..b5f0347c872 100644 --- a/qa/qa/tools/lib/group.rb +++ b/qa/qa/tools/lib/group.rb @@ -11,8 +11,12 @@ module QA ENV['TOP_LEVEL_GROUP_NAME'] || "gitlab-qa-sandbox-group-#{Time.now.wday + 1}" end + logger.info("Fetching group #{group_name}...") + group_search_response = get Runtime::API::Request.new(api_client, "/groups/#{group_name}").url - JSON.parse(group_search_response.body)["id"] + group = parse_body(group_search_response) + + group[:id].nil? ? logger.warn("Top level group #{group_name} not found") : group[:id] end end end diff --git a/spec/dot_gitlab_ci/rules_spec.rb b/spec/dot_gitlab_ci/rules_spec.rb new file mode 100644 index 00000000000..88e98fe95ba --- /dev/null +++ b/spec/dot_gitlab_ci/rules_spec.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +require 'fast_spec_helper' + +RSpec.describe '.gitlab/ci/rules.gitlab-ci.yml', feature_category: :tooling do + config = YAML.load_file( + File.expand_path('../../.gitlab/ci/rules.gitlab-ci.yml', __dir__), + aliases: true + ).freeze + + context 'with changes' do + config.each do |name, definition| + next unless definition.is_a?(Hash) && definition['rules'] + + definition['rules'].each do |rule| + next unless rule.is_a?(Hash) && rule['changes'] + + # See this for why we want to always have if + # https://docs.gitlab.com/ee/development/pipelines/internals.html#avoid-force_gitlab_ci + it "#{name} has corresponding if" do + expect(rule).to include('if') + end + end + end + end +end diff --git a/spec/features/projects/branches/new_branch_ref_dropdown_spec.rb b/spec/features/projects/branches/new_branch_ref_dropdown_spec.rb index c1b468a3746..2559aedf0d2 100644 --- a/spec/features/projects/branches/new_branch_ref_dropdown_spec.rb +++ b/spec/features/projects/branches/new_branch_ref_dropdown_spec.rb @@ -69,6 +69,11 @@ RSpec.describe 'New Branch Ref Dropdown', :js, feature_category: :source_code_ma expect(toggle).not_to have_content(non_existing_ref) end + it 'passes accessibility tests' do + click_button 'master' + expect(page).to be_axe_clean.within('.ref-selector') + end + def item(ref_name) find('li', text: ref_name, match: :prefer_exact) end diff --git a/spec/lib/backup/manager_spec.rb b/spec/lib/backup/manager_spec.rb index 1aba245cab3..7a8cffe8529 100644 --- a/spec/lib/backup/manager_spec.rb +++ b/spec/lib/backup/manager_spec.rb @@ -608,6 +608,7 @@ RSpec.describe Backup::Manager, feature_category: :backup_restore do expect(Kernel).not_to have_received(:system).with(*pack_tar_cmdline) expect(subject.send(:backup_information).to_h).to include( + backup_id: backup_id, backup_created_at: backup_time.localtime, db_version: be_a(String), gitlab_version: Gitlab::VERSION, @@ -1035,6 +1036,28 @@ RSpec.describe Backup::Manager, feature_category: :backup_restore do expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'tmp')) end + context 'backup information mismatches' do + let(:backup_id) { 'pineapple' } + let(:backup_information) do + { + backup_id: backup_id, + backup_created_at: Time.zone.parse('2019-01-01'), + gitlab_version: gitlab_version + } + end + + it 'unpacks the BACKUP specified file but uses the backup information backup ID' do + expect(task1).to receive(:restore).with(File.join(Gitlab.config.backup.path, 'lfs.tar.gz'), backup_id) + expect(task2).to receive(:restore).with(File.join(Gitlab.config.backup.path, 'pages.tar.gz'), backup_id) + + subject.restore + + expect(Kernel).to have_received(:system).with(*tar_cmdline) + expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'backup_information.yml')) + expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'tmp')) + end + end + context 'tar fails' do before do expect(Kernel).to receive(:system).with(*tar_cmdline).and_return(false) diff --git a/spec/lib/gitlab/pagination/keyset/order_spec.rb b/spec/lib/gitlab/pagination/keyset/order_spec.rb index 52d2688c06e..0d7de1596e6 100644 --- a/spec/lib/gitlab/pagination/keyset/order_spec.rb +++ b/spec/lib/gitlab/pagination/keyset/order_spec.rb @@ -635,6 +635,34 @@ RSpec.describe Gitlab::Pagination::Keyset::Order do end end end + + context 'when the cursor attribute is an array' do + let(:model) { Group.new(traversal_ids: [1, 2]) } + let(:scope) { Group.order(traversal_ids: :asc) } + let(:order) do + described_class.build( + [ + Gitlab::Pagination::Keyset::ColumnOrderDefinition.new( + attribute_name: 'traversal_ids', + order_expression: Group.arel_table['traversal_ids'].asc, + nullable: :not_nullable, + distinct: true + ) + ]) + end + + describe '#cursor_attributes_for_node' do + subject { order.cursor_attributes_for_node(model) } + + it { is_expected.to eq({ traversal_ids: [1, 2] }.with_indifferent_access) } + end + + describe '#apply_cursor_conditions' do + subject(:sql) { order.apply_cursor_conditions(scope, { 'traversal_ids' => [1, 2] }).to_sql } + + it { is_expected.to include('"namespaces"."traversal_ids" > \'{1,2}\')') } + end + end end end diff --git a/spec/models/ci/catalog/resource_spec.rb b/spec/models/ci/catalog/resource_spec.rb index 0faf43e9ee3..70adfddec15 100644 --- a/spec/models/ci/catalog/resource_spec.rb +++ b/spec/models/ci/catalog/resource_spec.rb @@ -227,7 +227,7 @@ RSpec.describe Ci::Catalog::Resource, feature_category: :pipeline_composition do end end - describe 'synchronizing denormalized columns with `projects` table', :sidekiq_inline do + describe 'synchronizing denormalized columns with `projects` table using SyncEvents processing', :sidekiq_inline do let_it_be_with_reload(:project) { create(:project, name: 'Test project', description: 'Test description') } context 'when the catalog resource is created' do @@ -272,7 +272,7 @@ RSpec.describe Ci::Catalog::Resource, feature_category: :pipeline_composition do end end - describe '#update_latest_released_at! triggered in model callbacks' do + describe 'updating latest_released_at using model callbacks' do let_it_be(:project) { create(:project) } let_it_be(:resource) { create(:ci_catalog_resource, project: project) } diff --git a/spec/models/ci/catalog/resources/version_spec.rb b/spec/models/ci/catalog/resources/version_spec.rb index bacaa6355fe..c91b2c71241 100644 --- a/spec/models/ci/catalog/resources/version_spec.rb +++ b/spec/models/ci/catalog/resources/version_spec.rb @@ -119,29 +119,6 @@ RSpec.describe Ci::Catalog::Resources::Version, type: :model, feature_category: end end - describe '#update_catalog_resource' do - let_it_be(:release) { create(:release, project: project1, tag: 'v1') } - let(:version) { build(:ci_catalog_resource_version, catalog_resource: resource1, release: release) } - - context 'when a version is created' do - it 'calls update_catalog_resource' do - expect(version).to receive(:update_catalog_resource).once - - version.save! - end - end - - context 'when a version is destroyed' do - it 'calls update_catalog_resource' do - version.save! - - expect(version).to receive(:update_catalog_resource).once - - version.destroy! - end - end - end - describe '#name' do it 'is equivalent to release.tag' do v1_0.release.update!(name: 'Release v1.0') @@ -172,4 +149,29 @@ RSpec.describe Ci::Catalog::Resources::Version, type: :model, feature_category: expect(v1_1.readme.data).to include('Readme v1.1') end end + + describe 'synchronizing released_at with `releases` table using model callbacks' do + let_it_be(:project) { create(:project) } + let_it_be(:resource) { create(:ci_catalog_resource, project: project) } + + let_it_be_with_reload(:release) do + create(:release, :with_catalog_resource_version, project: project, tag: 'v1', released_at: '2023-01-01T00:00:00Z') + end + + let(:version) { release.catalog_resource_version } + + context 'when the version is created' do + it 'updates released_at to match the release' do + expect(version.read_attribute(:released_at)).to eq(release.released_at) + end + end + + context 'when release.released_at is updated' do + it 'updates released_at to match the release' do + release.update!(released_at: '2023-02-02T00:00:00Z') + + expect(version.read_attribute(:released_at)).to eq(release.released_at) + end + end + end end diff --git a/spec/models/release_spec.rb b/spec/models/release_spec.rb index 4a4cb1ae46a..1f3af7d46bc 100644 --- a/spec/models/release_spec.rb +++ b/spec/models/release_spec.rb @@ -104,42 +104,6 @@ RSpec.describe Release, feature_category: :release_orchestration do end end - describe '#update_catalog_resource' do - let_it_be(:project) { create(:project) } - let_it_be_with_refind(:release) { create(:release, project: project, author: user) } - - context 'when the project is a catalog resource' do - before_all do - create(:ci_catalog_resource, project: project) - end - - context 'when released_at is updated' do - it 'calls update_catalog_resource' do - expect(release).to receive(:update_catalog_resource).once - - release.update!(released_at: release.released_at + 1.day) - end - end - - context 'when the release is destroyed' do - it 'calls update_catalog_resource' do - expect(release).to receive(:update_catalog_resource).once - - release.destroy! - end - end - end - - context 'when the project is not a catalog resource' do - it 'does not call update_catalog_resource' do - expect(release).not_to receive(:update_catalog_resource) - - release.update!(released_at: release.released_at + 1.day) - release.destroy! - end - end - end - describe 'tagged' do # We only test for empty string since there's a not null constraint at the database level it 'does not return the tagless release' do @@ -402,4 +366,31 @@ RSpec.describe Release, feature_category: :release_orchestration do it { expect(release.milestone_titles).to eq("#{milestone_1.title}, #{milestone_2.title}") } end + + describe 'updating catalog resource version' do + let_it_be(:project) { create(:project) } + let_it_be(:resource) { create(:ci_catalog_resource, project: project) } + + let_it_be_with_reload(:release) do + create(:release, :with_catalog_resource_version, project: project, tag: 'v1', released_at: '2023-01-01T00:00:00Z') + end + + let(:version) { release.catalog_resource_version } + + context 'when released_at has changed' do + it 'calls sync_with_release! on the catalog resource version' do + expect(version).to receive(:sync_with_release!).once + + release.update!(released_at: '2023-02-02T00:00:00Z') + end + end + + context 'when released_at has not changed' do + it 'does not call sync_with_release! on the catalog resource version' do + expect(version).not_to receive(:sync_with_release!) + + release.update!(released_at: '2023-01-01T00:00:00Z') + end + end + end end diff --git a/spec/tooling/quality/test_level_spec.rb b/spec/tooling/quality/test_level_spec.rb index b6c469929ea..dfbe5ce283b 100644 --- a/spec/tooling/quality/test_level_spec.rb +++ b/spec/tooling/quality/test_level_spec.rb @@ -46,7 +46,7 @@ RSpec.describe Quality::TestLevel, feature_category: :tooling do context 'when level is unit' do it 'returns a pattern' do expect(subject.pattern(:unit)) - .to eq("spec/{bin,channels,components,config,contracts,db,dependencies,elastic,elastic_integration,experiments,factories,finders,frontend,graphql,haml_lint,helpers,initializers,keeps,lib,metrics_server,models,policies,presenters,rack_servers,replicators,routing,rubocop,scripts,serializers,services,sidekiq,sidekiq_cluster,spam,support_specs,tasks,uploaders,validators,views,workers,tooling}{,/**/}*_spec.rb") + .to eq("spec/{bin,channels,components,config,contracts,db,dependencies,elastic,elastic_integration,experiments,factories,finders,frontend,graphql,haml_lint,helpers,initializers,keeps,lib,metrics_server,models,policies,presenters,rack_servers,replicators,routing,rubocop,scripts,serializers,services,sidekiq,sidekiq_cluster,spam,support_specs,tasks,uploaders,validators,views,workers,tooling,dot_gitlab_ci}{,/**/}*_spec.rb") end end @@ -121,7 +121,7 @@ RSpec.describe Quality::TestLevel, feature_category: :tooling do context 'when level is unit' do it 'returns a regexp' do expect(subject.regexp(:unit)) - .to eq(%r{spec/(bin|channels|components|config|contracts|db|dependencies|elastic|elastic_integration|experiments|factories|finders|frontend|graphql|haml_lint|helpers|initializers|keeps|lib|metrics_server|models|policies|presenters|rack_servers|replicators|routing|rubocop|scripts|serializers|services|sidekiq|sidekiq_cluster|spam|support_specs|tasks|uploaders|validators|views|workers|tooling)/}) + .to eq(%r{spec/(bin|channels|components|config|contracts|db|dependencies|elastic|elastic_integration|experiments|factories|finders|frontend|graphql|haml_lint|helpers|initializers|keeps|lib|metrics_server|models|policies|presenters|rack_servers|replicators|routing|rubocop|scripts|serializers|services|sidekiq|sidekiq_cluster|spam|support_specs|tasks|uploaders|validators|views|workers|tooling|dot_gitlab_ci)/}) end end diff --git a/spec/views/devise/shared/_signup_box.html.haml_spec.rb b/spec/views/devise/shared/_signup_box.html.haml_spec.rb index 13beb87c383..1b2324c9893 100644 --- a/spec/views/devise/shared/_signup_box.html.haml_spec.rb +++ b/spec/views/devise/shared/_signup_box.html.haml_spec.rb @@ -26,6 +26,7 @@ RSpec.describe 'devise/shared/_signup_box' do allow(view).to receive(:terms_path).and_return(terms_path) allow(view).to receive(:button_text).and_return(button_text) allow(view).to receive(:signup_username_data_attributes).and_return({}) + allow(view).to receive(:tracking_label).and_return('') stub_template 'devise/shared/_error_messages.html.haml' => '' end diff --git a/tests.yml b/tests.yml index 93d4f02f384..ab92031c771 100644 --- a/tests.yml +++ b/tests.yml @@ -37,6 +37,10 @@ mapping: - source: 'rubocop/(.+)\.rb' test: 'spec/rubocop/%s_spec.rb' + # .gitlab/ci related specs + - source: '.gitlab/ci/(.+)\.gitlab-ci\.yml' + test: 'spec/dot_gitlab_ci/%s_spec.rb' + # Initializers should map to respective spec - source: 'config/initializers/(.+)\.rb' test: 'spec/initializers/%s_spec.rb' diff --git a/tooling/quality/test_level.rb b/tooling/quality/test_level.rb index c0cc89380d1..f1a76692e3f 100644 --- a/tooling/quality/test_level.rb +++ b/tooling/quality/test_level.rb @@ -56,7 +56,8 @@ module Quality views workers tooling - ], + dot_gitlab_ci + ], # ^ tooling and dot_gitlab_ci might be worth to move to another level integration: %w[ commands controllers diff --git a/workhorse/cmd/gitlab-zip-metadata/main.go b/workhorse/cmd/gitlab-zip-metadata/main.go index 14fa2066997..a53c301333f 100644 --- a/workhorse/cmd/gitlab-zip-metadata/main.go +++ b/workhorse/cmd/gitlab-zip-metadata/main.go @@ -26,7 +26,7 @@ func main() { os.Exit(0) } - if len(os.Args) != 2 { + if len(flag.Args()) != 1 { fmt.Fprintf(os.Stderr, "Usage: %s FILE.ZIP\n", progName) os.Exit(1) } @@ -44,7 +44,7 @@ func main() { ctx, cancel := context.WithCancel(context.Background()) defer cancel() - archive, err := zipartifacts.OpenArchiveWithReaderFunc(ctx, os.Args[1], readerFunc) + archive, err := zipartifacts.OpenArchiveWithReaderFunc(ctx, flag.Args()[0], readerFunc) if err != nil { fatalError(err) } diff --git a/workhorse/internal/config/config.go b/workhorse/internal/config/config.go index d84bab16541..562ea05bfd0 100644 --- a/workhorse/internal/config/config.go +++ b/workhorse/internal/config/config.go @@ -156,8 +156,14 @@ var DefaultImageResizerConfig = ImageResizerConfig{ MaxFilesize: 250 * 1000, // 250kB, } +func NewDefaultConfig() *Config { + return &Config{ + ImageResizerConfig: DefaultImageResizerConfig, + } +} + func LoadConfig(data string) (*Config, error) { - cfg := &Config{ImageResizerConfig: DefaultImageResizerConfig} + cfg := NewDefaultConfig() if _, err := toml.Decode(data, cfg); err != nil { return nil, err diff --git a/workhorse/internal/config/config_test.go b/workhorse/internal/config/config_test.go index 03cad69d335..d3f00021725 100644 --- a/workhorse/internal/config/config_test.go +++ b/workhorse/internal/config/config_test.go @@ -190,3 +190,9 @@ alt_document_root = "/path/to/documents" require.Equal(t, "/path/to/documents", cfg.AltDocumentRoot) } + +func TestDefaultConfig(t *testing.T) { + cfg := NewDefaultConfig() + + require.Equal(t, uint64(250000), cfg.ImageResizerConfig.MaxFilesize) +} diff --git a/workhorse/main.go b/workhorse/main.go index 5743355594f..0c470d36e3e 100644 --- a/workhorse/main.go +++ b/workhorse/main.go @@ -72,7 +72,8 @@ type alreadyPrintedError struct{ error } // of type alreadyPrintedError it has already been printed. func buildConfig(arg0 string, args []string) (*bootConfig, *config.Config, error) { boot := &bootConfig{} - cfg := &config.Config{Version: Version} + cfg := config.NewDefaultConfig() + cfg.Version = Version fset := flag.NewFlagSet(arg0, flag.ContinueOnError) fset.Usage = func() { fmt.Fprintf(fset.Output(), "Usage of %s:\n", arg0) diff --git a/workhorse/main_test.go b/workhorse/main_test.go index 39eaa3ee30b..fb36c6b2c3a 100644 --- a/workhorse/main_test.go +++ b/workhorse/main_test.go @@ -772,12 +772,12 @@ func testAuthServer(t *testing.T, url *regexp.Regexp, params url.Values, code in } func newUpstreamConfig(authBackend string) *config.Config { - return &config.Config{ - Version: "123", - DocumentRoot: testDocumentRoot, - Backend: helper.URLMustParse(authBackend), - ImageResizerConfig: config.DefaultImageResizerConfig, - } + defaultConfig := config.NewDefaultConfig() + defaultConfig.Version = "123" + defaultConfig.DocumentRoot = testDocumentRoot + defaultConfig.Backend = helper.URLMustParse(authBackend) + + return defaultConfig } func startWorkhorseServer(authBackend string) *httptest.Server { |