diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-08 18:10:06 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-08 18:10:06 +0300 |
| commit | 66a3180a3b9417cb5259ecca83934f22b136394b (patch) | |
| tree | 5adbb98712fc46b082cff357fdcb85736f9e844b | |
| parent | dd18ae74af0dd661ca3a5ff5458feea925af5ab8 (diff) | |
Add latest changes from gitlab-org/gitlab@master
76 files changed, 1077 insertions, 437 deletions
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml index 5ef248c27e8..faafc8ef0e1 100644 --- a/.gitlab/ci/review.gitlab-ci.yml +++ b/.gitlab/ci/review.gitlab-ci.yml @@ -54,7 +54,6 @@ review-deploy: extends: - .review-workflow-base - .review:rules:review-deploy - retry: 2 stage: review needs: ["review-build-cng"] resource_group: "review/${CI_COMMIT_REF_NAME}" diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index da9a32389fa..55ebd3ba038 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -1200,19 +1200,31 @@ changes: *code-qa-patterns allow_failure: true +# The rule needs to be duplicated between `on_success` and `on_failure` +# because the jobs `needs` the previous job to complete. +# See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63844#note_599012559 .review:rules:review-qa-smoke-report: rules: - <<: *if-not-ee when: never - <<: *if-dot-com-gitlab-org-merge-request changes: *ci-review-patterns - when: always + when: on_success + - <<: *if-dot-com-gitlab-org-merge-request + changes: *ci-review-patterns + when: on_failure - <<: *if-dot-com-gitlab-org-merge-request changes: *frontend-patterns - when: always + when: on_success + - <<: *if-dot-com-gitlab-org-merge-request + changes: *frontend-patterns + when: on_failure - <<: *if-dot-com-gitlab-org-merge-request changes: *code-qa-patterns - when: always + when: on_success + - <<: *if-dot-com-gitlab-org-merge-request + changes: *code-qa-patterns + when: on_failure .review:rules:review-qa-all: rules: @@ -1226,6 +1238,9 @@ changes: *qa-patterns allow_failure: true +# The rule needs to be duplicated between `on_success` and `on_failure` +# because the jobs `needs` the previous job to complete. +# See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63844#note_599012559 .review:rules:review-qa-all-report: rules: - <<: *if-not-ee @@ -1237,7 +1252,11 @@ - <<: *if-dot-com-gitlab-org-merge-request changes: *qa-patterns allow_failure: true - when: always + when: on_success + - <<: *if-dot-com-gitlab-org-merge-request + changes: *qa-patterns + allow_failure: true + when: on_failure .review:rules:review-cleanup: rules: diff --git a/.gitlab/issue_templates/Geo Replicate a new Git repository type.md b/.gitlab/issue_templates/Geo Replicate a new Git repository type.md index dd37cd703b1..560b1722348 100644 --- a/.gitlab/issue_templates/Geo Replicate a new Git repository type.md +++ b/.gitlab/issue_templates/Geo Replicate a new Git repository type.md @@ -513,19 +513,59 @@ That's all of the required database changes. end ``` -##### If you added verification state fields to a separate table (option 2 above), then you need to make additional model changes +- [ ] Add the following to `spec/factories/cool_widgets.rb`: + + ```ruby + trait(:verification_succeeded) do + with_file + verification_checksum { 'abc' } + verification_state { CoolWidget.verification_state_value(:verification_succeeded) } + end + + trait(:verification_failed) do + with_file + verification_failure { 'Could not calculate the checksum' } + verification_state { CoolWidget.verification_state_value(:verification_failed) } + end + ``` + +- [ ] Make sure the factory also allows setting a `project` attribute. If the model does not have a direct relation to a project, you can use a `transient` attribute. Check out `spec/factories/merge_request_diffs.rb` for an example. + +##### If you added verification state fields to a separate table (option 2 above), then you need to make additional model and factory changes If you did not add verification state fields to a separate table, `cool_widget_states`, then skip to [Step 2. Implement metrics gathering](#step-2-implement-metrics-gathering). Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63309). -- [ ] Add the following lines to the `cool_widget_state.rb` model: +- [ ] Add a `Geo::CoolWidgetState` model in `ee/app/models/ee/geo/cool_widget_state.rb`: ``` ruby - class CoolWidgetState < ApplicationRecord - self.primary_key = :cool_widget_id + module Geo + class CoolWidgetState < ApplicationRecord + self.primary_key = :cool_widget_id - belongs_to :cool_widget, inverse_of: :cool_widget_state + belongs_to :cool_widget, inverse_of: :cool_widget_state + end + end + ``` + +- [ ] Add a `factory` for `cool_widget_state`, in `ee/spec/factories/geo/cool_widget_states.rb`: + + ``` ruby + # frozen_string_literal: true + + FactoryBot.define do + factory :geo_cool_widget_state, class: 'Geo::CoolWidgetState' do + cool_widget + + trait(:checksummed) do + verification_checksum { 'abc' } + end + + trait(:checksum_failure) do + verification_failure { 'Could not calculate the checksum' } + end + end end ``` @@ -540,7 +580,7 @@ Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.co ... include ::Gitlab::Geo::VerificationState - has_one :cool_widget_state, autosave: true, inverse_of: :cool_widget + has_one :cool_widget_state, autosave: true, inverse_of: :cool_widget, class_name: 'Geo::CoolWidgetState' delegate :verification_retry_at, :verification_retry_at=, :verified_at, :verified_at=, @@ -577,6 +617,12 @@ Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.co end end ... + + def cool_widget_state + super || build_cool_widget_state + end + + ... end ``` @@ -616,24 +662,6 @@ Metrics are gathered by `Geo::MetricsUpdateWorker`, persisted in `GeoNodeStatus` Geo::CoolWidgetReplicator | :cool_widget | :geo_cool_widget_registry ``` -- [ ] Add the following to `spec/factories/cool_widgets.rb`: - - ```ruby - trait(:verification_succeeded) do - with_file - verification_checksum { 'abc' } - verification_state { CoolWidget.verification_state_value(:verification_succeeded) } - end - - trait(:verification_failed) do - with_file - verification_failure { 'Could not calculate the checksum' } - verification_state { CoolWidget.verification_state_value(:verification_failed) } - end - ``` - -- [ ] Make sure the factory also allows setting a `project` attribute. If the model does not have a direct relation to a project, you can use a `transient` attribute. Check out `spec/factories/merge_request_diffs.rb` for an example. - Cool Widget replication and verification metrics should now be available in the API, the `Admin > Geo > Nodes` view, and Prometheus. #### Step 3. Implement the GraphQL API diff --git a/.gitlab/issue_templates/Geo Replicate a new blob type.md b/.gitlab/issue_templates/Geo Replicate a new blob type.md index fcb5c281fc1..58b08f490f7 100644 --- a/.gitlab/issue_templates/Geo Replicate a new blob type.md +++ b/.gitlab/issue_templates/Geo Replicate a new blob type.md @@ -480,19 +480,59 @@ That's all of the required database changes. end ``` -##### If you added verification state fields to a separate table (option 2 above), then you need to make additional model changes +- [ ] Add the following to `spec/factories/cool_widgets.rb`: + + ```ruby + trait(:verification_succeeded) do + with_file + verification_checksum { 'abc' } + verification_state { CoolWidget.verification_state_value(:verification_succeeded) } + end + + trait(:verification_failed) do + with_file + verification_failure { 'Could not calculate the checksum' } + verification_state { CoolWidget.verification_state_value(:verification_failed) } + end + ``` + +- [ ] Make sure the factory also allows setting a `project` attribute. If the model does not have a direct relation to a project, you can use a `transient` attribute. Check out `spec/factories/merge_request_diffs.rb` for an example. + +##### If you added verification state fields to a separate table (option 2 above), then you need to make additional model and factory changes If you did not add verification state fields to a separate table, `cool_widget_states`, then skip to [Step 2. Implement metrics gathering](#step-2-implement-metrics-gathering). Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63309). -- [ ] Add the following lines to the `cool_widget_state.rb` model: +- [ ] Add a `Geo::CoolWidgetState` model in `ee/app/models/ee/geo/cool_widget_state.rb`: ``` ruby - class CoolWidgetState < ApplicationRecord - self.primary_key = :cool_widget_id + module Geo + class CoolWidgetState < ApplicationRecord + self.primary_key = :cool_widget_id - belongs_to :cool_widget, inverse_of: :cool_widget_state + belongs_to :cool_widget, inverse_of: :cool_widget_state + end + end + ``` + +- [ ] Add a `factory` for `cool_widget_state`, in `ee/spec/factories/geo/cool_widget_states.rb`: + + ``` ruby + # frozen_string_literal: true + + FactoryBot.define do + factory :geo_cool_widget_state, class: 'Geo::CoolWidgetState' do + cool_widget + + trait(:checksummed) do + verification_checksum { 'abc' } + end + + trait(:checksum_failure) do + verification_failure { 'Could not calculate the checksum' } + end + end end ``` @@ -507,7 +547,7 @@ Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.co ... include ::Gitlab::Geo::VerificationState - has_one :cool_widget_state, autosave: true, inverse_of: :cool_widget + has_one :cool_widget_state, autosave: true, inverse_of: :cool_widget, class_name: 'Geo::CoolWidgetState' delegate :verification_retry_at, :verification_retry_at=, :verified_at, :verified_at=, @@ -544,6 +584,12 @@ Otherwise, you can follow [the example of Merge Request Diffs](https://gitlab.co end end ... + + def cool_widget_state + super || build_cool_widget_state + end + + ... end ``` @@ -583,24 +629,6 @@ Metrics are gathered by `Geo::MetricsUpdateWorker`, persisted in `GeoNodeStatus` Geo::CoolWidgetReplicator | :cool_widget | :geo_cool_widget_registry ``` -- [ ] Add the following to `spec/factories/cool_widgets.rb`: - - ```ruby - trait(:verification_succeeded) do - with_file - verification_checksum { 'abc' } - verification_state { CoolWidget.verification_state_value(:verification_succeeded) } - end - - trait(:verification_failed) do - with_file - verification_failure { 'Could not calculate the checksum' } - verification_state { CoolWidget.verification_state_value(:verification_failed) } - end - ``` - -- [ ] Make sure the factory also allows setting a `project` attribute. If the model does not have a direct relation to a project, you can use a `transient` attribute. Check out `spec/factories/merge_request_diffs.rb` for an example. - Cool Widget replication and verification metrics should now be available in the API, the `Admin > Geo > Nodes` view, and Prometheus. #### Step 3. Implement the GraphQL API diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c0ac790402..a658a6f32c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 14.0.5 (2021-07-08) + +### Fixed (4 changes) + +- [Return empty strings for Jira links when URL is not set](gitlab-org/gitlab@6da7890d8137b1879297ad81c6737312d6f672b3) ([merge request](gitlab-org/gitlab!65728)) +- [Add prefix to autocomplete path](gitlab-org/gitlab@5256ab7db346610a816ebb975ae9a6ce0d853435) ([merge request](gitlab-org/gitlab!65728)) +- [Do not create audit event for failed logins on read-only DB](gitlab-org/gitlab@30c7944ddddfe92566b3f66a7f549bef3ffd8d82) ([merge request](gitlab-org/gitlab!65728)) **GitLab Enterprise Edition** +- [Fix git clone for projects with a trailing dot over HTTP](gitlab-org/gitlab@a91be9412a09b069390cc33c14d1bc72216cdbf0) ([merge request](gitlab-org/gitlab!65728)) + +### Other (1 change) + +- [Initialize conversion of ci_builds_metadata.id for bigint migration](gitlab-org/gitlab@34522b102be43118063aa3245d23af313173700d) ([merge request](gitlab-org/gitlab!65728)) + ## 14.0.4 (2021-07-07) ### Security (1 change) diff --git a/app/assets/javascripts/fly_out_nav.js b/app/assets/javascripts/fly_out_nav.js index be7418ba802..0fb70fb831e 100644 --- a/app/assets/javascripts/fly_out_nav.js +++ b/app/assets/javascripts/fly_out_nav.js @@ -88,12 +88,12 @@ export const moveSubItemsToPosition = (el, subItems) => { const boundingRect = el.getBoundingClientRect(); const left = sidebar ? sidebar.offsetWidth : COLLAPSED_PANEL_WIDTH; let top = calculateTop(boundingRect, subItems.offsetHeight); + const isAbove = top < boundingRect.top; if (hasSubItems) { - top -= header.offsetHeight; + top = isAbove ? top : top - header.offsetHeight; } else { top = boundingRect.top; } - const isAbove = top <= boundingRect.top; subItems.classList.add('fly-out-list'); subItems.style.transform = `translate3d(${left}px, ${Math.floor(top) - getHeaderHeight()}px, 0)`; // eslint-disable-line no-param-reassign diff --git a/app/assets/javascripts/packages/list/constants.js b/app/assets/javascripts/packages/list/constants.js index f2125034b5f..2c6fd94024e 100644 --- a/app/assets/javascripts/packages/list/constants.js +++ b/app/assets/javascripts/packages/list/constants.js @@ -90,6 +90,10 @@ export const PACKAGE_TYPES = [ title: s__('PackageRegistry|Debian'), type: PackageType.DEBIAN, }, + { + title: s__('PackageRegistry|Helm'), + type: PackageType.HELM, + }, ]; export const LIST_TITLE_TEXT = s__('PackageRegistry|Package Registry'); diff --git a/app/assets/javascripts/packages/shared/constants.js b/app/assets/javascripts/packages/shared/constants.js index c6b9c8b29de..b4cdca34d92 100644 --- a/app/assets/javascripts/packages/shared/constants.js +++ b/app/assets/javascripts/packages/shared/constants.js @@ -10,6 +10,7 @@ export const PackageType = { RUBYGEMS: 'rubygems', GENERIC: 'generic', DEBIAN: 'debian', + HELM: 'helm', }; // we want this separated from the main dictionary to avoid it being pulled in the search of package diff --git a/app/assets/javascripts/packages/shared/utils.js b/app/assets/javascripts/packages/shared/utils.js index 89b9bd34b08..7e86e5b2991 100644 --- a/app/assets/javascripts/packages/shared/utils.js +++ b/app/assets/javascripts/packages/shared/utils.js @@ -27,6 +27,8 @@ export const getPackageTypeLabel = (packageType) => { return s__('PackageRegistry|Generic'); case PackageType.DEBIAN: return s__('PackageRegistry|Debian'); + case PackageType.HELM: + return s__('PackageRegistry|Helm'); default: return null; } diff --git a/app/assets/javascripts/packages_and_registries/settings/project/components/settings_form.vue b/app/assets/javascripts/packages_and_registries/settings/project/components/settings_form.vue index efdb65265d0..6030af9d2c3 100644 --- a/app/assets/javascripts/packages_and_registries/settings/project/components/settings_form.vue +++ b/app/assets/javascripts/packages_and_registries/settings/project/components/settings_form.vue @@ -88,8 +88,6 @@ export default { return { ...this.value, cadence: this.findDefaultOption('cadence'), - keepN: this.findDefaultOption('keepN'), - olderThan: this.findDefaultOption('olderThan'), }; }, showLoadingIcon() { diff --git a/app/assets/javascripts/packages_and_registries/settings/project/utils.js b/app/assets/javascripts/packages_and_registries/settings/project/utils.js index 4a2d7c7d466..b577a051862 100644 --- a/app/assets/javascripts/packages_and_registries/settings/project/utils.js +++ b/app/assets/javascripts/packages_and_registries/settings/project/utils.js @@ -11,11 +11,14 @@ export const olderThanTranslationGenerator = (variable) => n__('%d day', '%d day export const keepNTranslationGenerator = (variable) => n__('%d tag per image name', '%d tags per image name', variable); -export const optionLabelGenerator = (collection, translationFn) => - collection.map((option) => ({ +export const optionLabelGenerator = (collection, translationFn) => { + const result = collection.map((option) => ({ ...option, label: translationFn(option.variable), })); + result.unshift({ key: null, label: '' }); + return result; +}; export const formOptionsGenerator = () => { return { diff --git a/app/assets/javascripts/vue_shared/new_namespace/components/welcome.vue b/app/assets/javascripts/vue_shared/new_namespace/components/welcome.vue index 2e6aa3486cf..1b20ae57563 100644 --- a/app/assets/javascripts/vue_shared/new_namespace/components/welcome.vue +++ b/app/assets/javascripts/vue_shared/new_namespace/components/welcome.vue @@ -30,7 +30,7 @@ export default { }; </script> <template> - <div class="container"> + <div class="container gl-display-flex gl-flex-direction-column"> <h2 class="gl-my-7 gl-font-size-h1 gl-text-center"> {{ title }} </h2> diff --git a/app/assets/stylesheets/framework/contextual_sidebar.scss b/app/assets/stylesheets/framework/contextual_sidebar.scss index 2b1c97f1398..f5002a342b6 100644 --- a/app/assets/stylesheets/framework/contextual_sidebar.scss +++ b/app/assets/stylesheets/framework/contextual_sidebar.scss @@ -316,6 +316,10 @@ a.has-sub-items + .sidebar-sub-level-items.fly-out-list { @include gl-mt-n2; + + &.is-above { + @include gl-mt-2; + } } @media (min-width: map-get($grid-breakpoints, md)) and (max-width: map-get($grid-breakpoints, xl) - 1px) { diff --git a/app/graphql/resolvers/issues_resolver.rb b/app/graphql/resolvers/issues_resolver.rb index 93e679b2d0c..2017eb7decd 100644 --- a/app/graphql/resolvers/issues_resolver.rb +++ b/app/graphql/resolvers/issues_resolver.rb @@ -15,6 +15,7 @@ module Resolvers type Types::IssueType.connection_type, null: true NON_STABLE_CURSOR_SORTS = %i[priority_asc priority_desc + popularity_asc popularity_desc label_priority_asc label_priority_desc milestone_due_asc milestone_due_desc].freeze diff --git a/app/graphql/types/issue_sort_enum.rb b/app/graphql/types/issue_sort_enum.rb index e730a51b60e..a2390ff01fe 100644 --- a/app/graphql/types/issue_sort_enum.rb +++ b/app/graphql/types/issue_sort_enum.rb @@ -10,6 +10,8 @@ module Types value 'RELATIVE_POSITION_ASC', 'Relative position by ascending order.', value: :relative_position_asc value 'SEVERITY_ASC', 'Severity from less critical to more critical.', value: :severity_asc value 'SEVERITY_DESC', 'Severity from more critical to less critical.', value: :severity_desc + value 'POPULARITY_ASC', 'Number of upvotes (awarded "thumbs up" emoji) by ascending order.', value: :popularity_asc + value 'POPULARITY_DESC', 'Number of upvotes (awarded "thumbs up" emoji) by descending order.', value: :popularity_desc end end diff --git a/app/models/integrations/buildkite.rb b/app/models/integrations/buildkite.rb index 906a5d02f9c..4f28c961916 100644 --- a/app/models/integrations/buildkite.rb +++ b/app/models/integrations/buildkite.rb @@ -76,18 +76,22 @@ module Integrations 'buildkite' end + def help + s_('ProjectService|Run CI/CD pipelines with Buildkite.') + end + def fields [ { type: 'text', name: 'token', - title: 'Integration Token', - help: 'This token will be provided when you create a Buildkite pipeline with a GitLab repository', + title: _('Token'), + help: s_('ProjectService|The token you get after you create a Buildkite pipeline with a GitLab repository.'), required: true }, { type: 'text', name: 'project_url', - title: 'Pipeline URL', - placeholder: "#{ENDPOINT}/acme-inc/test-pipeline", + title: _('Pipeline URL'), + placeholder: "#{ENDPOINT}/example-org/test-pipeline", required: true } ] end diff --git a/app/services/ci/pipelines/add_job_service.rb b/app/services/ci/pipelines/add_job_service.rb new file mode 100644 index 00000000000..03bdb491200 --- /dev/null +++ b/app/services/ci/pipelines/add_job_service.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +module Ci + module Pipelines + class AddJobService + attr_reader :pipeline + + def initialize(pipeline) + @pipeline = pipeline + + raise ArgumentError, "Pipeline must be persisted for this service to be used" unless @pipeline.persisted? + end + + def execute!(job, &block) + assign_pipeline_attributes(job) + + Ci::Pipeline.transaction do + yield(job) + + job.update_older_statuses_retried! if Feature.enabled?(:ci_fix_commit_status_retried, @pipeline.project, default_enabled: :yaml) + end + + ServiceResponse.success(payload: { job: job }) + rescue StandardError => e + ServiceResponse.error(message: e.message, payload: { job: job }) + end + + private + + def assign_pipeline_attributes(job) + job.pipeline = @pipeline + job.project = @pipeline.project + job.ref = @pipeline.ref + end + end + end +end diff --git a/app/services/ci/retry_build_service.rb b/app/services/ci/retry_build_service.rb index be96910176f..08520c9514c 100644 --- a/app/services/ci/retry_build_service.rb +++ b/app/services/ci/retry_build_service.rb @@ -34,18 +34,15 @@ module Ci def reprocess!(build) check_access!(build) - attributes = self.class.clone_accessors.to_h do |attribute| - [attribute, build.public_send(attribute)] # rubocop:disable GitlabSecurity/PublicSend - end - - attributes[:user] = current_user - - Ci::Build.transaction do - create_build!(attributes).tap do |new_build| - new_build.update_older_statuses_retried! - build.reset # refresh the data to get new values of `retried` and `processed`. + new_build = clone_build(build) + ::Ci::Pipelines::AddJobService.new(build.pipeline).execute!(new_build) do |job| + BulkInsertableAssociations.with_bulk_insert do + job.save! end end + build.reset # refresh the data to get new values of `retried` and `processed`. + + new_build end # rubocop: enable CodeReuse/ActiveRecord @@ -59,13 +56,19 @@ module Ci def check_assignable_runners!(build); end - def create_build!(attributes) - build = project.builds.new(attributes) - build.assign_attributes(::Gitlab::Ci::Pipeline::Seed::Build.environment_attributes_for(build)) - BulkInsertableAssociations.with_bulk_insert do - build.save! + def clone_build(build) + project.builds.new(build_attributes(build)).tap do |new_build| + new_build.assign_attributes(::Gitlab::Ci::Pipeline::Seed::Build.environment_attributes_for(new_build)) end - build + end + + def build_attributes(build) + attributes = self.class.clone_accessors.to_h do |attribute| + [attribute, build.public_send(attribute)] # rubocop:disable GitlabSecurity/PublicSend + end + + attributes[:user] = current_user + attributes end end end diff --git a/app/services/projects/update_pages_service.rb b/app/services/projects/update_pages_service.rb index 8ea35131339..a90c22c7de5 100644 --- a/app/services/projects/update_pages_service.rb +++ b/app/services/projects/update_pages_service.rb @@ -31,10 +31,11 @@ module Projects register_attempt # Create status notifying the deployment of pages - @status = create_status - @status.update_older_statuses_retried! if Feature.enabled?(:ci_fix_commit_status_retried, project, default_enabled: :yaml) - @status.enqueue! - @status.run! + @status = build_commit_status + ::Ci::Pipelines::AddJobService.new(@build.pipeline).execute!(@status) do |job| + job.enqueue! + job.run! + end raise InvalidStateError, 'missing pages artifacts' unless build.artifacts? raise InvalidStateError, 'build SHA is outdated for this ref' unless latest? @@ -70,12 +71,9 @@ module Projects super end - def create_status + def build_commit_status GenericCommitStatus.new( - project: project, - pipeline: build.pipeline, user: build.user, - ref: build.ref, stage: 'deploy', name: 'pages:deploy' ) diff --git a/app/views/admin/application_settings/_ci_cd.html.haml b/app/views/admin/application_settings/_ci_cd.html.haml index 5ae45d5a9da..fb530e18b03 100644 --- a/app/views/admin/application_settings/_ci_cd.html.haml +++ b/app/views/admin/application_settings/_ci_cd.html.haml @@ -64,6 +64,6 @@ = f.text_field :default_ci_config_path, class: 'form-control gl-form-input', placeholder: '.gitlab-ci.yml' %p.form-text.text-muted = _("The default CI/CD configuration file and path for new projects.").html_safe - = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'custom-cicd-configuration-file'), target: '_blank' + = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'specify-a-custom-cicd-configuration-file'), target: '_blank' = f.submit _('Save changes'), class: "gl-button btn btn-confirm" diff --git a/app/views/projects/settings/ci_cd/_form.html.haml b/app/views/projects/settings/ci_cd/_form.html.haml index c89c9879f4b..3942cfa4643 100644 --- a/app/views/projects/settings/ci_cd/_form.html.haml +++ b/app/views/projects/settings/ci_cd/_form.html.haml @@ -10,7 +10,7 @@ %strong= _("Public pipelines") .form-text.text-muted = _("Allow public access to pipelines and job details, including output logs and artifacts.") - = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'visibility-of-pipelines'), target: '_blank' + = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank' .form-group .form-check @@ -36,7 +36,7 @@ = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml' %p.form-text.text-muted = html_escape(_("The name of the CI/CD configuration file. A path relative to the root directory is optional (for example %{code_open}my/path/.myfile.yml%{code_close}).")) % { code_open: '<code>'.html_safe, code_close: '</code>'.html_safe } - = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'custom-cicd-configuration-file'), target: '_blank' + = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'specify-a-custom-cicd-configuration-file'), target: '_blank' %hr .form-group @@ -44,7 +44,7 @@ = _("Git strategy") %p = _("Choose which Git strategy to use when fetching the project.") - = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'git-strategy'), target: '_blank' + = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'choose-the-default-git-strategy'), target: '_blank' .form-check = f.radio_button :build_allow_git_fetch, 'false', { class: 'form-check-input' } = f.label :build_allow_git_fetch_false, class: 'form-check-label' do @@ -66,7 +66,7 @@ = form.number_field :default_git_depth, { class: 'form-control gl-form-input', min: 0, max: 1000 } %p.form-text.text-muted = html_escape(_('The number of changes to fetch from GitLab when cloning a repository. Lower values can speed up pipeline execution. Set to %{code_open}0%{code_close} or blank to fetch all branches and tags for each job')) % { code_open: '<code>'.html_safe, code_close: '</code>'.html_safe } - = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'git-shallow-clone'), target: '_blank' + = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'limit-the-number-of-changes-fetched-during-clone'), target: '_blank' %hr .form-group diff --git a/config/feature_flags/development/load_balancing_improved_caught_up_hosts_check.yml b/config/feature_flags/development/load_balancing_improved_caught_up_hosts_check.yml deleted file mode 100644 index 2ead0274d3a..00000000000 --- a/config/feature_flags/development/load_balancing_improved_caught_up_hosts_check.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: load_balancing_improved_caught_up_hosts_check -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65248 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334989 -milestone: '14.1' -type: development -group: group::memory -default_enabled: false diff --git a/doc/administration/compliance.md b/doc/administration/compliance.md index 4f90d049ed0..742d23105a9 100644 --- a/doc/administration/compliance.md +++ b/doc/administration/compliance.md @@ -27,7 +27,7 @@ relevant compliance standards. |**[Audit events](audit_events.md)**<br>To maintain the integrity of your code, GitLab Enterprise Edition Premium gives administrators the ability to view any modifications made within the GitLab server in an advanced audit events system, so you can control, analyze, and track every change. | Premium+ | **{check-circle}** Yes | Instance, Group, Project | |**[Auditor users](auditor_users.md)**<br>Auditor users are users who are given read-only access to all projects, groups, and other resources on the GitLab instance. | Premium+ | **{dotted-circle}** No | Instance | |**[Credentials inventory](../user/admin_area/credentials_inventory.md)**<br>With a credentials inventory, GitLab administrators can keep track of the credentials used by all of the users in their GitLab instance. | Ultimate | **{dotted-circle}** No | Instance | -|**Separation of Duties using [Protected branches](../user/project/protected_branches.md#require-code-owner-approval-on-a-protected-branch) and [custom CI Configuration Paths](../ci/pipelines/settings.md#custom-cicd-configuration-file)**<br> GitLab Premium users can leverage the GitLab cross-project YAML configurations to define deployers of code and developers of code. View the [Separation of Duties Deploy Project](https://gitlab.com/guided-explorations/separation-of-duties-deploy/blob/master/README.md) and [Separation of Duties Project](https://gitlab.com/guided-explorations/separation-of-duties/blob/master/README.md) to see how to use this set up to define these roles. | Premium+ | **{check-circle}** Yes | Project | +|**Separation of Duties using [Protected branches](../user/project/protected_branches.md#require-code-owner-approval-on-a-protected-branch) and [custom CI Configuration Paths](../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file)**<br> GitLab Premium users can leverage the GitLab cross-project YAML configurations to define deployers of code and developers of code. View the [Separation of Duties Deploy Project](https://gitlab.com/guided-explorations/separation-of-duties-deploy/blob/master/README.md) and [Separation of Duties Project](https://gitlab.com/guided-explorations/separation-of-duties/blob/master/README.md) to see how to use this set up to define these roles. | Premium+ | **{check-circle}** Yes | Project | |**[Compliance frameworks](../user/project/settings/index.md#compliance-frameworks)**<br>Create a custom compliance framework at the group level to describe the type of compliance requirements any child project needs to follow. | Premium+ | **{check-circle}** Yes | Group | |**[Compliance pipelines](../user/project/settings/index.md#compliance-pipeline-configuration)**<br>Define a pipeline configuration to run for any projects with a given compliance framework. | Ultimate | **{check-circle}** Yes | Group | |**[Compliance dashboard](../user/compliance/compliance_dashboard/index.md)**<br>Quickly get visibility into the compliance posture of your organization. | Ultimate | **{check-circle}** Yes | Group | diff --git a/doc/administration/geo/setup/index.md b/doc/administration/geo/setup/index.md index 1afa4360cbc..84dff69ebe7 100644 --- a/doc/administration/geo/setup/index.md +++ b/doc/administration/geo/setup/index.md @@ -9,24 +9,24 @@ type: howto These instructions assume you have a working instance of GitLab. They guide you through: -1. Making your existing instance the **primary** node. -1. Adding **secondary** nodes. +1. Making your existing instance the **primary** site. +1. Adding **secondary** site(s). WARNING: -The steps below should be followed in the order they appear. **Make sure the GitLab version is the same on all nodes.** +The steps below should be followed in the order they appear. **Make sure the GitLab version is the same on all sites.** ## Using Omnibus GitLab If you installed GitLab using the Omnibus packages (highly recommended): -1. [Install GitLab Enterprise Edition](https://about.gitlab.com/install/) on the server that will serve as the **secondary** node. Do not create an account or log in to the new **secondary** node. -1. [Upload the GitLab License](../../../user/admin_area/license.md) on the **primary** node to unlock Geo. The license must be for [GitLab Premium](https://about.gitlab.com/pricing/) or higher. +1. [Install GitLab Enterprise Edition](https://about.gitlab.com/install/) on the node(s) that will serve as the **secondary** site. Do not create an account or log in to the new **secondary** site. +1. [Upload the GitLab License](../../../user/admin_area/license.md) on the **primary** site to unlock Geo. The license must be for [GitLab Premium](https://about.gitlab.com/pricing/) or higher. 1. [Set up the database replication](database.md) (`primary (read-write) <-> secondary (read-only)` topology). -1. [Configure fast lookup of authorized SSH keys in the database](../../operations/fast_ssh_key_lookup.md). This step is required and needs to be done on **both** the **primary** and **secondary** nodes. -1. [Configure GitLab](../replication/configuration.md) to set the **primary** and **secondary** nodes. -1. Optional: [Configure a secondary LDAP server](../../auth/ldap/index.md) for the **secondary** node. See [notes on LDAP](../index.md#ldap). +1. [Configure fast lookup of authorized SSH keys in the database](../../operations/fast_ssh_key_lookup.md). This step is required and needs to be done on **both** the **primary** and **secondary** site(s). +1. [Configure GitLab](../replication/configuration.md) to set the **primary** and **secondary** site(s). +1. Optional: [Configure a secondary LDAP server](../../auth/ldap/index.md) for the **secondary** site(s). See [notes on LDAP](../index.md#ldap). 1. Follow the [Using a Geo Site](../replication/usage.md) guide. ## Post-installation documentation -After installing GitLab on the **secondary** nodes and performing the initial configuration, see the [following documentation for post-installation information](../index.md#post-installation-documentation). +After installing GitLab on the **secondary** site(s) and performing the initial configuration, see the [following documentation for post-installation information](../index.md#post-installation-documentation). diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 21f5115747d..ad25825d31f 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -8891,6 +8891,7 @@ Relationship between an epic and an issue. | <a id="epicissueblocked"></a>`blocked` | [`Boolean!`](#boolean) | Indicates the issue is blocked. | | <a id="epicissueblockedbycount"></a>`blockedByCount` | [`Int`](#int) | Count of issues blocking this issue. | | <a id="epicissueblockedbyissues"></a>`blockedByIssues` | [`IssueConnection`](#issueconnection) | Issues blocking this issue. (see [Connections](#connections)) | +| <a id="epicissueblockingcount"></a>`blockingCount` | [`Int!`](#int) | Count of issues this issue is blocking. | | <a id="epicissueclosedat"></a>`closedAt` | [`Time`](#time) | Timestamp of when the issue was closed. | | <a id="epicissueconfidential"></a>`confidential` | [`Boolean!`](#boolean) | Indicates the issue is confidential. | | <a id="epicissuecreatenoteemail"></a>`createNoteEmail` | [`String`](#string) | User specific email address for the issue. | @@ -9945,6 +9946,7 @@ Returns [`VulnerabilitySeveritiesCount`](#vulnerabilityseveritiescount). | <a id="issueblocked"></a>`blocked` | [`Boolean!`](#boolean) | Indicates the issue is blocked. | | <a id="issueblockedbycount"></a>`blockedByCount` | [`Int`](#int) | Count of issues blocking this issue. | | <a id="issueblockedbyissues"></a>`blockedByIssues` | [`IssueConnection`](#issueconnection) | Issues blocking this issue. (see [Connections](#connections)) | +| <a id="issueblockingcount"></a>`blockingCount` | [`Int!`](#int) | Count of issues this issue is blocking. | | <a id="issueclosedat"></a>`closedAt` | [`Time`](#time) | Timestamp of when the issue was closed. | | <a id="issueconfidential"></a>`confidential` | [`Boolean!`](#boolean) | Indicates the issue is confidential. | | <a id="issuecreatenoteemail"></a>`createNoteEmail` | [`String`](#string) | User specific email address for the issue. | @@ -10957,6 +10959,7 @@ Represents the network policy. | <a id="networkpolicyenabled"></a>`enabled` | [`Boolean!`](#boolean) | Indicates whether this policy is enabled. | | <a id="networkpolicyenvironments"></a>`environments` | [`EnvironmentConnection`](#environmentconnection) | Environments where this policy is applied. (see [Connections](#connections)) | | <a id="networkpolicyfromautodevops"></a>`fromAutoDevops` | [`Boolean!`](#boolean) | Indicates whether this policy is created from AutoDevops. | +| <a id="networkpolicykind"></a>`kind` | [`NetworkPolicyKind!`](#networkpolicykind) | Kind of the policy. | | <a id="networkpolicyname"></a>`name` | [`String!`](#string) | Name of the policy. | | <a id="networkpolicynamespace"></a>`namespace` | [`String!`](#string) | Namespace of the policy. | | <a id="networkpolicyupdatedat"></a>`updatedAt` | [`Time!`](#time) | Timestamp of when the policy YAML was last updated. | @@ -14610,6 +14613,8 @@ Values for sorting issues. | Value | Description | | ----- | ----------- | +| <a id="issuesortblocking_issues_asc"></a>`BLOCKING_ISSUES_ASC` | Blocking issues count by ascending order. | +| <a id="issuesortblocking_issues_desc"></a>`BLOCKING_ISSUES_DESC` | Blocking issues count by descending order. | | <a id="issuesortcreated_asc"></a>`CREATED_ASC` | Created at ascending order. | | <a id="issuesortcreated_desc"></a>`CREATED_DESC` | Created at descending order. | | <a id="issuesortdue_date_asc"></a>`DUE_DATE_ASC` | Due date by ascending order. | @@ -14618,6 +14623,8 @@ Values for sorting issues. | <a id="issuesortlabel_priority_desc"></a>`LABEL_PRIORITY_DESC` | Label priority by descending order. | | <a id="issuesortmilestone_due_asc"></a>`MILESTONE_DUE_ASC` | Milestone due date by ascending order. | | <a id="issuesortmilestone_due_desc"></a>`MILESTONE_DUE_DESC` | Milestone due date by descending order. | +| <a id="issuesortpopularity_asc"></a>`POPULARITY_ASC` | Number of upvotes (awarded "thumbs up" emoji) by ascending order. | +| <a id="issuesortpopularity_desc"></a>`POPULARITY_DESC` | Number of upvotes (awarded "thumbs up" emoji) by descending order. | | <a id="issuesortpriority_asc"></a>`PRIORITY_ASC` | Priority by ascending order. | | <a id="issuesortpriority_desc"></a>`PRIORITY_DESC` | Priority by descending order. | | <a id="issuesortpublished_asc"></a>`PUBLISHED_ASC` | Published issues shown last. | @@ -14886,6 +14893,15 @@ Negated Iteration ID wildcard values. | ----- | ----------- | | <a id="negatediterationwildcardidcurrent"></a>`CURRENT` | Current iteration. | +### `NetworkPolicyKind` + +Kind of the network policy. + +| Value | Description | +| ----- | ----------- | +| <a id="networkpolicykindciliumnetworkpolicy"></a>`CiliumNetworkPolicy` | The policy kind of Cilium Network Policy. | +| <a id="networkpolicykindnetworkpolicy"></a>`NetworkPolicy` | The policy kind of Network Policy. | + ### `OncallRotationUnitEnum` Rotation length unit of an on-call rotation. diff --git a/doc/api/projects.md b/doc/api/projects.md index ec3a0c83759..ebf1c70c887 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -1326,7 +1326,7 @@ PUT /projects/:id | `build_timeout` | integer | **{dotted-circle}** No | The maximum amount of time, in seconds, that a job can run. | | `builds_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. | | `ci_config_path` | string | **{dotted-circle}** No | The path to CI configuration file. | -| `ci_default_git_depth` | integer | **{dotted-circle}** No | Default number of revisions for [shallow cloning](../ci/pipelines/settings.md#git-shallow-clone). | +| `ci_default_git_depth` | integer | **{dotted-circle}** No | Default number of revisions for [shallow cloning](../ci/pipelines/settings.md#limit-the-number-of-changes-fetched-during-clone). | | `ci_forward_deployment_enabled` | boolean | **{dotted-circle}** No | When a new deployment job starts, [skip older deployment jobs](../ci/pipelines/settings.md#skip-outdated-deployment-jobs) that are still pending | | `container_expiration_policy_attributes` | hash | **{dotted-circle}** No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | | `container_registry_enabled` | boolean | **{dotted-circle}** No | Enable container registry for this project. | diff --git a/doc/ci/environments/deployment_safety.md b/doc/ci/environments/deployment_safety.md index beb820a1da9..e38e8e6349b 100644 --- a/doc/ci/environments/deployment_safety.md +++ b/doc/ci/environments/deployment_safety.md @@ -141,7 +141,7 @@ reference a file in another project with a completely different set of permissio In this scenario, the `gitlab-ci.yml` is publicly accessible, but can only be edited by users with appropriate permissions in the other project. -For more information, see [Custom CI/CD configuration path](../pipelines/settings.md#custom-cicd-configuration-file). +For more information, see [Custom CI/CD configuration path](../pipelines/settings.md#specify-a-custom-cicd-configuration-file). ## Troubleshooting diff --git a/doc/ci/index.md b/doc/ci/index.md index cbb0a359fbe..593f50d4ffd 100644 --- a/doc/ci/index.md +++ b/doc/ci/index.md @@ -70,14 +70,14 @@ GitLab CI/CD supports numerous configuration options: | Configuration | Description | |:----------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------| | [Schedule pipelines](pipelines/schedules.md) | Schedule pipelines to run as often as you need. | -| [Custom path for `.gitlab-ci.yml`](pipelines/settings.md#custom-cicd-configuration-file) | Define a custom path for the CI/CD configuration file. | +| [Custom path for `.gitlab-ci.yml`](pipelines/settings.md#specify-a-custom-cicd-configuration-file) | Define a custom path for the CI/CD configuration file. | | [Git submodules for CI/CD](git_submodules.md) | Configure jobs for using Git submodules. | -| [SSH keys for CI/CD](ssh_keys/index.md) | Using SSH keys in your CI pipelines. | -| [Pipeline triggers](triggers/index.md) | Trigger pipelines through the API. | -| [Pipelines for Merge Requests](pipelines/merge_request_pipelines.md) | Design a pipeline structure for running a pipeline in merge requests. | +| [SSH keys for CI/CD](ssh_keys/index.md) | Using SSH keys in your CI pipelines. | +| [Pipeline triggers](triggers/index.md) | Trigger pipelines through the API. | +| [Pipelines for Merge Requests](pipelines/merge_request_pipelines.md) | Design a pipeline structure for running a pipeline in merge requests. | | [Integrate with Kubernetes clusters](../user/project/clusters/index.md) | Connect your project to Google Kubernetes Engine (GKE) or an existing Kubernetes cluster. | | [Optimize GitLab and GitLab Runner for large repositories](large_repositories/index.md) | Recommended strategies for handling large repositories. | -| [`.gitlab-ci.yml` full reference](yaml/index.md) | All the attributes you can use with GitLab CI/CD. | +| [`.gitlab-ci.yml` full reference](yaml/index.md) | All the attributes you can use with GitLab CI/CD. | Note that certain operations can only be performed according to the [user](../user/permissions.md#gitlab-cicd-permissions) and [job](../user/permissions.md#job-permissions) permissions. diff --git a/doc/ci/large_repositories/index.md b/doc/ci/large_repositories/index.md index 62e9749d959..c3b0cd79d2c 100644 --- a/doc/ci/large_repositories/index.md +++ b/doc/ci/large_repositories/index.md @@ -28,7 +28,7 @@ Each guideline is described in more detail in the sections below: > Introduced in GitLab Runner 8.9. -GitLab and GitLab Runner perform a [shallow clone](../pipelines/settings.md#git-shallow-clone) +GitLab and GitLab Runner perform a [shallow clone](../pipelines/settings.md#limit-the-number-of-changes-fetched-during-clone) by default. Ideally, you should always use `GIT_DEPTH` with a small number diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md index 21416d003ea..236ca10190e 100644 --- a/doc/ci/pipelines/settings.md +++ b/doc/ci/pipelines/settings.md @@ -14,49 +14,48 @@ You can customize how pipelines run for your project. For an overview of pipelines, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s). Watch also [GitLab CI pipeline tutorial for beginners](https://www.youtube.com/watch?v=Jav4vbUrqII). -## Visibility of pipelines +## Change which users can view your pipelines -Pipeline visibility is determined by: - -- Your current [user access level](../../user/permissions.md). -- The **Public pipelines** project setting under your project's **Settings > CI/CD > General pipelines**. - -NOTE: -If the project visibility is set to **Private**, the [**Public pipelines** setting has no effect](../enable_or_disable_ci.md#per-project-user-setting). - -This also determines the visibility of these related features: +For public and internal projects, you can change who can see your: +- Pipelines - Job output logs - Job artifacts -- The [pipeline security dashboard](../../user/application_security/security_dashboard/index.md#pipeline-security) **(ULTIMATE)** +- [Pipeline security dashboard](../../user/application_security/security_dashboard/index.md#pipeline-security) + +However: -Job logs and artifacts are [not visible for guest users and non-project members](https://gitlab.com/gitlab-org/gitlab/-/issues/25649). +- Job output logs and artifacts are [never visible for Guest users and non-project members](https://gitlab.com/gitlab-org/gitlab/-/issues/25649). -If **Public pipelines** is enabled (default): +To change the visibility of your pipelines and related features: -- For **public** projects, anyone can view the pipelines and related features. -- For **internal** projects, any logged in user except [external users](../../user/permissions.md#external-users) can view the pipelines - and related features. -- For **private** projects, any project member (Guest or higher) can view the pipelines - and related features. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **General pipelines**. +1. Select or clear the **Public pipelines** checkbox. + When it is selected, pipelines and related features are visible: + + - For **public** projects, to everyone. + - For **internal** projects, to all logged-in users except [external users](../../user/permissions.md#external-users). + - For **private** projects, to all project members (Guest or higher). -If **Public pipelines** is disabled: + When it is cleared: -- For **public** projects, anyone can view the pipelines, but only members - (Reporter or higher) can access the related features. -- For **internal** projects, any logged in user except [external users](../../user/permissions.md#external-users) can view the pipelines. - However, only members (reporter or higher) can access the job related features. -- For **private** projects, only project members (reporter or higher) - can view the pipelines or access the related features. + - For **public** projects, pipelines are visible to everyone. Related features are visible + only to project members (Reporter or higher). + - For **internal** projects, pipelines are visible to all logged in users except [external users](../../user/permissions.md#external-users). + Related features are visible only to project members (Reporter or higher). + - For **private** projects, pipelines and related features are visible to project members (Reporter or higher) only. ## Auto-cancel redundant pipelines You can set pending or running pipelines to cancel automatically when a new pipeline runs on the same branch. You can enable this in the project settings: -1. Go to **Settings > CI/CD**. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. 1. Expand **General Pipelines**. -1. Check the **Auto-cancel redundant pipelines** checkbox. -1. Click **Save changes**. +1. Select the **Auto-cancel redundant pipelines** checkbox. +1. Select **Save changes**. Use the [`interruptible`](../yaml/index.md#interruptible) keyword to indicate if a running job can be cancelled before it completes. @@ -73,12 +72,13 @@ newer one, which may not be what you want. To avoid this scenario: -1. Go to **Settings > CI/CD**. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. 1. Expand **General pipelines**. -1. Check the **Skip outdated deployment jobs** checkbox. -1. Click **Save changes**. +1. Select the **Skip outdated deployment jobs** checkbox. +1. Select **Save changes**. -When enabled, any older deployments job are skipped when a new deployment starts. +Older deployment job are skipped when a new deployment starts. For more information, see [Deployment safety](../environments/deployment_safety.md). @@ -92,78 +92,86 @@ about this and asks for confirmation. For more information, see [Deployment safety](../environments/deployment_safety.md). -## Custom CI/CD configuration file +## Specify a custom CI/CD configuration file > [Support for external `.gitlab-ci.yml` locations](https://gitlab.com/gitlab-org/gitlab/-/issues/14376) introduced in GitLab 12.6. -By default we look for the `.gitlab-ci.yml` file in the project's root -directory. If needed, you can specify an alternate path and filename, including locations outside the project. +GitLab expects to find the CI/CD configuration file (`.gitlab-ci.yml`) in the project's root +directory. However, you can specify an alternate filename path, including locations outside the project. To customize the path: -1. Go to the project's **Settings > CI/CD**. -1. Expand the **General pipelines** section. -1. Provide a value in the **CI/CD configuration file** field. -1. Click **Save changes**. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **General pipelines**. +1. In the **CI/CD configuration file** field, enter the file name, and if: + - The file is not in the root directory, include the path. + - The file is in a different project, include the group and project name. + - The file is on an external site, enter the full URL. +1. Select **Save changes**. + +### Custom CI/CD configuration file examples -If the CI/CD configuration file is stored in the repository in a non-default -location, the path must be relative to the root directory. Examples of valid -paths and file names include: +If the CI/CD configuration file is not in the root directory, the path must be relative to it. +For example: -- `.gitlab-ci.yml` (default) -- `.my-custom-file.yml` - `my/path/.gitlab-ci.yml` - `my/path/.my-custom-file.yml` -If hosting the CI/CD configuration file on an external site, the URL link must end with `.yml`: +If the CI/CD configuration file is on an external site, the URL must end with `.yml`: - `http://example.com/generate/ci/config.yml` -If hosting the CI/CD configuration file in a different project in GitLab, the path must be relative +If the CI/CD configuration file is in a different project in GitLab, the path must be relative to the root directory in the other project. Include the group and project name at the end: - `.gitlab-ci.yml@mygroup/another-project` - `my/path/.my-custom-file.yml@mygroup/another-project` -Hosting the configuration file in a separate project allows stricter control of the -configuration file. For example: +If the configuration file is in a separate project, you can more set more granular permissions. For example: - Create a public project to host the configuration file. - Give write permissions on the project only to users who are allowed to edit the file. -Other users and projects can access the configuration file without being +Then other users and projects can access the configuration file without being able to edit it. -## Git strategy - -With Git strategy, you can choose the default way your repository is fetched -from GitLab in a job. +## Choose the default Git strategy -There are two options. Using: +You can choose how your repository is fetched from GitLab when a job runs. -- `git clone`, which is slower because it clones the repository from scratch - for every job, ensuring that the local working copy is always pristine. -- `git fetch`, which is default in GitLab and faster as it re-uses the local working copy (falling - back to clone if it doesn't exist). - This is recommended, especially for [large repositories](../large_repositories/index.md#git-strategy). +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **General pipelines**. +1. Under **Git strategy**, select an option: + - `git clone` is slower because it clones the repository from scratch + for every job. However, the local working copy is always pristine. + - `git fetch` is faster because it re-uses the local working copy (and falls + back to clone if it doesn't exist). This is recommended, especially for + [large repositories](../large_repositories/index.md#git-strategy). The configured Git strategy can be overridden by the [`GIT_STRATEGY` variable](../runners/configure_runners.md#git-strategy) -in `.gitlab-ci.yml`. +in the `.gitlab-ci.yml` file. -## Git shallow clone +## Limit the number of changes fetched during clone > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/28919) in GitLab 12.0. -It is possible to limit the number of changes that GitLab CI/CD fetches when cloning -a repository. Setting a limit to `git depth` can speed up Pipelines execution. +You can limit the number of changes that GitLab CI/CD fetches when it clones +a repository. -In GitLab 12.0 and later, newly created projects automatically have a default -`git depth` value of `50`. The maximum allowed value is `1000`. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **General pipelines**. +1. Under **Git strategy**, under **Git shallow clone**, enter a value. + The maximum value is `1000`. To disable shallow clone and make GitLab CI/CD + fetch all branches and tags each time, keep the value empty or set to `0`. -To disable shallow clone and make GitLab CI/CD fetch all branches and tags each time, -keep the value empty or set to `0`. +In GitLab 12.0 and later, newly created projects automatically have a default +`git depth` value of `50`. -This value can also be [overridden by `GIT_DEPTH`](../large_repositories/index.md#shallow-cloning) variable in `.gitlab-ci.yml` file. +This value can be overridden by the [`GIT_DEPTH` variable](../large_repositories/index.md#shallow-cloning) +in the `.gitlab-ci.yml` file. ## Timeout @@ -218,7 +226,7 @@ averaged. <!-- vale gitlab.Spelling = YES --> -### Code Coverage history +### Code coverage history > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/209121) the ability to download a `.csv` in GitLab 12.10. > - [Graph introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33743) in GitLab 13.1. @@ -249,7 +257,7 @@ For example: lein cloverage | perl -pe 's/\e\[?.*?[\@-~]//g' ``` -## Pipeline Badges +## Pipeline badges In the pipelines settings page you can find pipeline status and test coverage badges for your project. The latest successful pipeline is used to read @@ -340,10 +348,6 @@ https://gitlab.com/gitlab-org/gitlab/badges/main/coverage.svg?job=karma&key_text  -## Related topics - -- [Maximum artifacts size](../../user/admin_area/settings/continuous_integration.md#maximum-artifacts-size). - <!-- ## Troubleshooting Include any troubleshooting steps that you can foresee. If you know beforehand what issues diff --git a/doc/ci/runners/configure_runners.md b/doc/ci/runners/configure_runners.md index 26703ed5420..5654fbbd288 100644 --- a/doc/ci/runners/configure_runners.md +++ b/doc/ci/runners/configure_runners.md @@ -258,7 +258,7 @@ variables: ``` There are three possible values: `clone`, `fetch`, and `none`. If left unspecified, -jobs use the [project's pipeline setting](../pipelines/settings.md#git-strategy). +jobs use the [project's pipeline setting](../pipelines/settings.md#choose-the-default-git-strategy). `clone` is the slowest option. It clones the repository from scratch for every job, ensuring that the local working copy is always pristine. @@ -428,7 +428,7 @@ It can be helpful for repositories with a large number of commits or old, large passed to `git fetch` and `git clone`. In GitLab 12.0 and later, newly-created projects automatically have a -[default `git depth` value of `50`](../pipelines/settings.md#git-shallow-clone). +[default `git depth` value of `50`](../pipelines/settings.md#limit-the-number-of-changes-fetched-during-clone). If you use a depth of `1` and have a queue of jobs or retry jobs, jobs may fail. diff --git a/doc/ci/ssh_keys/index.md b/doc/ci/ssh_keys/index.md index a27f6ac4983..6136f3be3f6 100644 --- a/doc/ci/ssh_keys/index.md +++ b/doc/ci/ssh_keys/index.md @@ -39,7 +39,7 @@ with any type of [executor](https://docs.gitlab.com/runner/executors/) In the following example, the `ssh-add -` command does not display the value of `$SSH_PRIVATE_KEY` in the job log, though it could be exposed if you enable [debug logging](../variables/index.md#debug-logging). You might also want to -check the [visibility of your pipelines](../pipelines/settings.md#visibility-of-pipelines). +check the [visibility of your pipelines](../pipelines/settings.md#change-which-users-can-view-your-pipelines). ## SSH keys when using the Docker executor diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md index 5a8cf340fd1..e6768968d83 100644 --- a/doc/ci/variables/index.md +++ b/doc/ci/variables/index.md @@ -611,7 +611,7 @@ You can grant permission to override variables to [maintainers](../../user/permi with overridden variables, they receive the `Insufficient permissions to set pipeline variables` error message. -If you [store your CI/CD configurations in a different repository](../../ci/pipelines/settings.md#custom-cicd-configuration-file), +If you [store your CI/CD configurations in a different repository](../../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file), use this setting for control over the environment the pipeline runs in. You can enable this feature by using [the projects API](../../api/projects.md#edit-project) diff --git a/doc/development/index.md b/doc/development/index.md index 2121585c7ed..b53f2bf5362 100644 --- a/doc/development/index.md +++ b/doc/development/index.md @@ -159,63 +159,96 @@ the [reviewer values](https://about.gitlab.com/handbook/engineering/workflow/rev ## Backend guides +### General + - [Directory structure](directory_structure.md) - [GitLab utilities](utilities.md) -- [Issuable-like Rails models](issuable-like-models.md) +- [Newlines style guide](newlines_styleguide.md) - [Logging](logging.md) -- [API style guide](api_styleguide.md) for contributing to the API -- [GraphQL API style guide](api_graphql_styleguide.md) for contributing to the - [GraphQL API](../api/graphql/index.md) -- [Sidekiq guidelines](sidekiq_style_guide.md) for working with Sidekiq workers -- [Working with Gitaly](gitaly.md) -- [Manage feature flags](feature_flags/index.md) -- [Licensed feature availability](licensed_feature_availability.md) - [Dealing with email/mailers](emails.md) -- [Shell commands](shell_commands.md) in the GitLab codebase +- [Kubernetes integration guidelines](kubernetes.md) +- [Permissions](permissions.md) +- [Code comments](code_comments.md) +- [Windows Development on GCP](windows.md) +- [FIPS compliance](fips_compliance.md) - [`Gemfile` guidelines](gemfile.md) -- [Pry debugging](pry_debugging.md) -- [Sidekiq debugging](../administration/troubleshooting/sidekiq.md) -- [Accessing session data](session.md) + +### Things to be aware of + - [Gotchas](gotchas.md) to avoid - [Avoid modules with instance variables](module_with_instance_variables.md), if possible -- [How to dump production data to staging](db_dump.md) -- [Working with the GitHub importer](github_importer.md) -- [Import/Export development documentation](import_export.md) -- [Test Import Project](import_project.md) -- [Group migration](bulk_import.md) -- [Elasticsearch integration docs](elasticsearch.md) -- [Working with Merge Request diffs](diffs.md) -- [Kubernetes integration guidelines](kubernetes.md) -- [Permissions](permissions.md) - [Guidelines for reusing abstractions](reusing_abstractions.md) + +### Rails Framework related + +- [Routing](routing.md) +- [Rails initializers](rails_initializers.md) +- [Mass Inserting Models](mass_insert.md) +- [Issuable-like Rails models](issuable-like-models.md) +- [Issue types vs first-class types](issue_types.md) - [DeclarativePolicy framework](policies.md) + +### Debugging + +- [Pry debugging](pry_debugging.md) +- [Sidekiq debugging](../administration/troubleshooting/sidekiq.md) + +### Git specifics + - [How Git object deduplication works in GitLab](git_object_deduplication.md) -- [Geo development](geo.md) -- [Routing](routing.md) -- [Repository mirroring](repository_mirroring.md) - [Git LFS](lfs.md) + +### API + +- [API style guide](api_styleguide.md) for contributing to the API +- [GraphQL API style guide](api_graphql_styleguide.md) for contributing to the + [GraphQL API](../api/graphql/index.md) + +### GitLab components and features + - [Developing against interacting components or features](interacting_components.md) +- [Manage feature flags](feature_flags/index.md) +- [Licensed feature availability](licensed_feature_availability.md) +- [Accessing session data](session.md) +- [How to dump production data to staging](db_dump.md) +- [Geo development](geo.md) +- [Redis guidelines](redis.md) +- [Sidekiq guidelines](sidekiq_style_guide.md) for working with Sidekiq workers +- [Working with Gitaly](gitaly.md) +- [Elasticsearch integration docs](elasticsearch.md) +- [Working with Merge Request diffs](diffs.md) +- [Approval Rules](approval_rules.md) +- [Repository mirroring](repository_mirroring.md) - [File uploads](uploads.md) - [Auto DevOps development guide](auto_devops.md) -- [Mass Inserting Models](mass_insert.md) -- [Value Stream Analytics development guide](value_stream_analytics.md) -- [Issue types vs first-class types](issue_types.md) -- [Application limits](application_limits.md) -- [Redis guidelines](redis.md) -- [Rails initializers](rails_initializers.md) -- [Code comments](code_comments.md) - [Renaming features](renaming_features.md) -- [Windows Development on GCP](windows.md) - [Code Intelligence](code_intelligence/index.md) -- [Approval Rules](approval_rules.md) - [Feature categorization](feature_categorization/index.md) - [Wikis development guide](wikis.md) -- [Newlines style guide](newlines_styleguide.md) - [Image scaling guide](image_scaling.md) -- [Export to CSV](export_csv.md) - [Cascading Settings](cascading_settings.md) -- [FIPS compliance](fips_compliance.md) +- [Shell commands](shell_commands.md) in the GitLab codebase +- [Value Stream Analytics development guide](value_stream_analytics.md) +- [Application limits](application_limits.md) + +### Import/Export + +- [Working with the GitHub importer](github_importer.md) +- [Import/Export development documentation](import_export.md) +- [Test Import Project](import_project.md) +- [Group migration](bulk_import.md) +- [Export to CSV](export_csv.md) + +## Language-specific guides + +### Go guides + +- [Go Guidelines](go_guide/index.md) + +### Shell Scripting guides + +- [Shell scripting standards and style guidelines](shell_scripting_guide/index.md) ## Performance guides @@ -286,14 +319,6 @@ See [database guidelines](database/index.md). - [Licensing](licensing.md) for ensuring license compliance -## Go guides - -- [Go Guidelines](go_guide/index.md) - -## Shell Scripting guides - -- [Shell scripting standards and style guidelines](shell_scripting_guide/index.md) - ## Domain-specific guides - [CI/CD development documentation](cicd/index.md) diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index a44fa2e54f4..07f7ac6a2ac 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -29,7 +29,13 @@ in the [CI documentation](../../ci/yaml/index.md#image). For consistency, scanning jobs should be named after the scanner, in lower case. The job name is suffixed after the type of scanning: -`_dependency_scanning`, `_container_scanning`, `_dast`, and `_sast`. + +- `_dependency_scanning` +- `_cluster_image_scanning` +- `_container_scanning` +- `_dast` +- `_sast` + For instance, the dependency scanning job based on the "MySec" scanner would be named `mysec_dependency_scanning`. ### Image @@ -69,7 +75,15 @@ so the [`allow_failure`](../../ci/yaml/index.md#allow_failure) parameter should Scanning jobs must declare a report that corresponds to the type of scanning they perform, using the [`artifacts:reports`](../../ci/yaml/index.md#artifactsreports) keyword. -Valid reports are: `dependency_scanning`, `container_scanning`, `dast`, `api_fuzzing`, `coverage_fuzzing`, and `sast`. +Valid reports are: + +- `dependency_scanning` +- `container_scanning` +- `cluster_image_scanning` +- `dast` +- `api_fuzzing` +- `coverage_fuzzing` +- `sast` For example, here is the definition of a SAST job that generates a file named `gl-sast-report.json`, and uploads it as a SAST report: @@ -90,9 +104,15 @@ it's declared under the `reports:sast` key in the job definition, not because of Certain GitLab workflows, such as [AutoDevOps](../../topics/autodevops/customize.md#disable-jobs), define CI/CD variables to indicate that given scans should be disabled. You can check for this by looking -for variables such as `DEPENDENCY_SCANNING_DISABLED`, `CONTAINER_SCANNING_DISABLED`, -`SAST_DISABLED`, and `DAST_DISABLED`. If appropriate based on the scanner type, you should then -disable running the custom scanner. +for variables such as: + +- `DEPENDENCY_SCANNING_DISABLED` +- `CONTAINER_SCANNING_DISABLED` +- `CLUSTER_IMAGE_SCANNING_DISABLED` +- `SAST_DISABLED` +- `DAST_DISABLED` + +If appropriate based on the scanner type, you should then disable running the custom scanner. GitLab also defines a `CI_PROJECT_REPOSITORY_LANGUAGES` variable, which provides the list of languages in the repository. Depending on this value, your scanner may or may not do something different. @@ -194,6 +214,19 @@ using the variables `DOCKER_USER` and `DOCKER_PASSWORD`. If these are not defined, then the scanner should use `CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD` as default values. +#### Cluster Image Scanning + +To be consistent with the official `cluster_image_scanning` for GitLab, scanners must scan the +Kubernetes cluster whose configuration is given by `KUBECONFIG`. + +If you use the `CIS_KUBECONFIG` CI/CD variable, then the +`KUBECONFIG` variable is ignored and the cluster specified in the +`CIS_KUBECONFIG` variable is scanned instead. If you don't provide +the `CIS_KUBECONFIG` CI/CD variable, the value defaults to the value of +`$KUBECONFIG`. `$KUBECONFIG` is a predefined CI/CD variable configured when the project is assigned to a +Kubernetes cluster. When multiple contexts are provided in the `KUBECONFIG` variable, the context +selected as `current-context` will be used to fetch vulnerabilities. + #### Configuration files While scanners may use `CI_PROJECT_DIR` to load specific configuration files, @@ -282,7 +315,8 @@ The format is extensively described in the documentation of [SAST](../../user/application_security/sast/index.md#reports-json-format), [DAST](../../user/application_security/dast/#reports), [Dependency Scanning](../../user/application_security/dependency_scanning/index.md#reports-json-format), -and [Container Scanning](../../user/application_security/container_scanning/index.md#reports-json-format). +[Container Scanning](../../user/application_security/container_scanning/index.md#reports-json-format), +and [Cluster Image Scanning](../../user/application_security/cluster_image_scanning/index.md#reports-json-format). You can find the schemas for these scanners here: @@ -310,7 +344,12 @@ We recommend that you generate a UUID and use it as the `id` field's value. #### Category The value of the `category` field matches the report type: -`dependency_scanning`, `container_scanning`, `sast`, and `dast`. + +- `dependency_scanning` +- `cluster_image_scanning` +- `container_scanning` +- `sast` +- `dast` #### Scanner @@ -480,6 +519,31 @@ so these attributes are mandatory. The `image` is also mandatory. All other attributes are optional. +#### Cluster Image Scanning + +The `location` of a `cluster_image_scanning` vulnerability has a `dependency` field. It also has +an `operating_system` field. For example, here is the `location` object for a vulnerability +affecting version `2.50.3-2+deb9u1` of Debian package `glib2.0`: + +```json +{ + "dependency": { + "package": { + "name": "glib2.0" + }, + }, + "version": "2.50.3-2+deb9u1", + "operating_system": "debian:9", + "image": "index.docker.io/library/nginx:1.18" +} +``` + +The affected package is found when scanning the image of the pod `index.docker.io/library/nginx:1.18`. + +The location fingerprint of a Cluster Image Scanning vulnerability combines the +`operating_system` and the package `name`, so these attributes are mandatory. The `image` is also +mandatory. All other attributes are optional. + #### SAST The `location` of a SAST vulnerability must have a `file` and a `start_line` field, diff --git a/doc/development/integrations/secure_partner_integration.md b/doc/development/integrations/secure_partner_integration.md index a143c654c21..34e0aaedfaf 100644 --- a/doc/development/integrations/secure_partner_integration.md +++ b/doc/development/integrations/secure_partner_integration.md @@ -90,6 +90,7 @@ and complete an integration with the Secure stage. - Documentation for [SAST reports](../../user/application_security/sast/index.md#reports-json-format). - Documentation for [Dependency Scanning reports](../../user/application_security/dependency_scanning/index.md#reports-json-format). - Documentation for [Container Scanning reports](../../user/application_security/container_scanning/index.md#reports-json-format). + - Documentation for [`cluster_image_scanning` reports](../../user/application_security/cluster_image_scanning/index.md#reports-json-format). - See this [example secure job definition that also defines the artifact created](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml). - If you need a new kind of scan or report, [create an issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new#) and add the label `devops::secure`. diff --git a/doc/push_rules/push_rules.md b/doc/push_rules/push_rules.md index a19535eb90a..34a63f425eb 100644 --- a/doc/push_rules/push_rules.md +++ b/doc/push_rules/push_rules.md @@ -39,12 +39,6 @@ Now when a user tries to push a commit with a message `Bugfix`, their push is declined. Only pushing commits with messages like `Bugfix according to JIRA-123` is accepted. -The error message includes the rejected commit's SHA. -To resolve such errors, commit again with a matching message, -[rebase and reword](../topics/git/numerous_undo_possibilities_in_git/index.md#how-to-change-history), -or [amend](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---amend) -that commit's message locally. - ### Restrict branch names If your company has a strict policy for branch names, you may want the branches to start diff --git a/doc/user/admin_area/settings/continuous_integration.md b/doc/user/admin_area/settings/continuous_integration.md index 795144a64c1..69d86259409 100644 --- a/doc/user/admin_area/settings/continuous_integration.md +++ b/doc/user/admin_area/settings/continuous_integration.md @@ -214,7 +214,7 @@ of your GitLab instance (`.gitlab-ci.yml` if not set): 1. Input the new file and path in the **Default CI/CD configuration file** field. 1. Hit **Save changes** for the changes to take effect. -It is also possible to specify a [custom CI/CD configuration file for a specific project](../../../ci/pipelines/settings.md#custom-cicd-configuration-file). +It is also possible to specify a [custom CI/CD configuration file for a specific project](../../../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file). ## Required pipeline configuration **(PREMIUM SELF)** diff --git a/doc/user/application_security/cluster_image_scanning/index.md b/doc/user/application_security/cluster_image_scanning/index.md new file mode 100644 index 00000000000..abbe00a85ab --- /dev/null +++ b/doc/user/application_security/cluster_image_scanning/index.md @@ -0,0 +1,281 @@ +--- +type: reference, howto +stage: Protect +group: Container Security +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Cluster Image Scanning **(ULTIMATE)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.1. + +WARNING: +This analyzer is in [Alpha](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha) +and is unstable. The JSON report and CI/CD configuration may be subject to change or breakage +across GitLab releases. + +Your Kubernetes cluster may run workloads based on images that the Container Security analyzer +didn't scan. These images may therefore contain known vulnerabilities. By including an extra job in +your pipeline that scans for those security risks and displays them in the vulnerability report, you +can use GitLab to audit your Kubernetes workloads and environments. + +GitLab provides integration with open-source tools for vulnerability analysis in Kubernetes clusters: + +- [Starboard](https://github.com/aquasecurity/starboard) + +To integrate GitLab with security scanners other than those listed here, see +[Security scanner integration](../../../development/integrations/secure.md). + +You can enable cluster image scanning by [including the CI job](#configuration) +in your existing `.gitlab-ci.yml` file. + +## Prerequisites + +To enable cluster image scanning in your pipeline, you need the following: + +- [GitLab Runner](https://docs.gitlab.com/runner/) + with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) + or [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) + executor. +- Docker `18.09.03` or later installed on the same computer as the runner. If you're using the + shared runners on GitLab.com, then this is already the case. +- [Starboard Operator](https://aquasecurity.github.io/starboard/v0.10.3/operator/installation/kubectl/) + installed and configured in your cluster. +- The configuration for accessing your Kubernetes cluster stored in the `CIS_KUBECONFIG` + [configuration variable](#cicd-variables-for-cluster-image-scanning) + with the type set to `File` (see [Configuring the cluster](#configuring-the-cluster)). + +## Configuring the cluster + +1. Create a new service account. + + To properly fetch vulnerabilities from the cluster and to limit analyzer access to the workload, + you must create a new service account with the cluster role limited to `get`, `list`, and `watch` + `vulnerabilityreports` in the Kubernetes cluster: + + ```shell + kubectl apply -f https://gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning/-/raw/main/gitlab-vulnerability-viewer-service-account.yaml + ``` + +1. Obtain the Kubernetes API URL. + + Get the API URL by running this command: + + ```shell + API_URL=$(kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}') + ``` + +1. Obtain the CA certificate: + + 1. List the secrets with `kubectl get secrets`. One should have a name similar to + `default-token-xxxxx`. Copy that token name for use below. + + 1. Run this command to get the certificate: + + ```shell + CA_CERTIFICATE=$(kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}") + ``` + +1. Obtain the service account token: + + ```shell + TOKEN=$(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep gitlab-vulnerability-viewer | awk '{print $1}') -o jsonpath="{.data.token}" | base64 --decode) + ``` + +1. Generate the value for the `CIS_KUBECONFIG` variable. Copy the printed value from the output: + + ```shell + echo " + --- + apiVersion: v1 + kind: Config + clusters: + - name: gitlab-vulnerabilities-viewer + cluster: + server: $API_URL + certificate-authority-data: $CA_CERTIFICATE + contexts: + - name: gitlab-vulnerabilities-viewer + context: + cluster: gitlab-vulnerabilities-viewer + namespace: default + user: gitlab-vulnerabilities-viewer + current-context: gitlab-vulnerabilities-viewer + users: + - name: gitlab-vulnerabilities-viewer + user: + token: $TOKEN + " + ``` + +1. Set the CI/CD variable: + + 1. Navigate to your project's **Settings > CI/CD**. + + 1. Expand the **Variables** section. + + 1. Select **Add variable** and fill in the details: + + - **Key**: `CIS_KUBECONFIG`. + - **Value**: `generated value` + - **Type**: `File` + +WARNING: +The `CIS_KUBECONFIG` variable is accessible by all jobs executed for your project. Mark the +`Protect variable` flag to export this variable to pipelines running on protected branches and tags +only. You can apply additional protection to your cluster by +[restricting service account access to a single namespace](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), +and [configuring Starboard Operator](https://aquasecurity.github.io/starboard/v0.10.3/operator/configuration/#install-modes) +to install in restricted mode. + +## Configuration + +To include the `Cluster-Image-Scanning.gitlab-ci.yml` template (GitLab 14.1 and later), add the +following to your `.gitlab-ci.yml` file: + +```yaml +include: + - template: Security/Cluster-Image-Scanning.gitlab-ci.yml +``` + +The included template: + +- Creates a `cluster_image_scanning` job in your CI/CD pipeline. +- Connects to your Kubernetes cluster with credentials provided in the `CIS_KUBECONFIG` variable and + fetches vulnerabilities found by [Starboard Operator](https://aquasecurity.github.io/starboard/v0.10.3/operator/). + +GitLab saves the results as a +[Cluster Image Scanning report artifact](../../../ci/yaml/index.md#artifactsreportscluster_image_scanning) +that you can download and analyze later. When downloading, you always receive the most recent +artifact. + +### Customize the cluster image scanning settings + +You can customize how GitLab scans your cluster. For example, to restrict the analyzer to get +results for only a certain workload, use the [`variables`](../../../ci/yaml/index.md#variables) +parameter in your `.gitlab-ci.yml` to set [CI/CD variables](#cicd-variables-for-cluster-image-scanning). +The variables you set in your `.gitlab-ci.yml` overwrite those in +`Cluster-Image-Scanning.gitlab-ci.yml`. + +#### CI/CD variables for cluster image scanning + +You can [configure](#customize-the-cluster-image-scanning-settings) analyzers by using the following CI/CD variables: + +| CI/CD Variable | Default | Description | +| ------------------------------ | ------------- | ----------- | +| `CIS_KUBECONFIG` | `""` | File used to configure access to the Kubernetes cluster. See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) for more details. | +| `CIS_CONTAINER_NAME` | `""` | Name of the container used in the Kubernetes resource you want to filter vulnerabilities for. For example, `alpine`. | +| `CIS_RESOURCE_NAME` | `""` | Name of the Kubernetes resource you want to filter vulnerabilities for. For example, `nginx`. | +| `CIS_RESOURCE_NAMESPACE` | `""` | Namespace of the Kubernetes resource you want to filter vulnerabilities for. For example, `production`. | +| `CIS_RESOURCE_KIND` | `""` | Kind of the Kubernetes resource you want to filter vulnerabilities for. For example, `deployment`. | + +### Override the cluster image scanning template + +If you want to override the job definition (for example, to change properties like `variables`), you +must declare and override a job after the template inclusion, and then +specify any additional keys. + +This example sets `CIS_RESOURCE_NAME` to `nginx`: + +```yaml +include: + - template: Security/Cluster-Image-Scanning.gitlab-ci.yml + +cluster_image_scanning: + variables: + CIS_RESOURCE_NAME: nginx +``` + +### Connect with Kubernetes cluster associated to the project + +If you want to connect to the Kubernetes cluster associated with the project and run Cluster Image Scanning jobs without +configuring the `CIS_KUBECONFIG` variable, you must extend `cluster_image_scanning` and specify the environment you want to scan. + +This example configures the `cluster_image_scanning` job to scan the Kubernetes cluster connected with the `staging` environment: + +```yaml +cluster_image_scanning: + environment: + name: staging + action: prepare +``` + +## Reports JSON format + +The cluster image scanning tool emits a JSON report file. For more information, see the +[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json). + +Here's an example cluster image scanning report: + +```json-doc +{{ + "version": "14.0.2", + "scan": { + "scanner": { + "id": "starboard_trivy", + "name": "Trivy (using Starboard Operator)", + "url": "https://github.com/aquasecurity/starboard", + "vendor": { + "name": "GitLab" + }, + "version": "0.16.0" + }, + "start_time": "2021-04-28T12:47:00Z", + "end_time": "2021-04-28T12:47:00Z", + "type": "cluster_image_scanning", + "status": "success" + }, + "vulnerabilities": [ + { + "id": "c15f22205ee842184c2d55f1a207b3708283353f85083d66c34379c709b0ac9d", + "category": "cluster_image_scanning", + "message": "CVE-2011-3374 in apt", + "description": "", + "cve": "library/nginx:1.18:apt:CVE-2011-3374", + "severity": "Low", + "confidence": "Unknown", + "solution": "Upgrade apt from 1.8.2.2", + "scanner": { + "id": "starboard_trivy", + "name": "Trivy (using Starboard Operator)" + }, + "location": { + "dependency": { + "package": { + "name": "apt" + }, + "version": "1.8.2.2" + }, + "operating_system": "library/nginx:1.18", + "image": "index.docker.io/library/nginx:1.18" + }, + "identifiers": [ + { + "type": "cve", + "name": "CVE-2011-3374", + "value": "CVE-2011-3374", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3374" + } + ], + "links": [ + "https://avd.aquasec.com/nvd/cve-2011-3374" + ] + } + ] +} +``` + +## Security Dashboard + +The [Security Dashboard](../security_dashboard/index.md) shows you an overview of all +the security vulnerabilities in your groups, projects, and pipelines. + +## Interacting with the vulnerabilities + +After a vulnerability is found, you can [address it](../vulnerabilities/index.md). + +## Troubleshooting + +### Getting warning message `gl-cluster-image-scanning-report.json: no matching files` + +For information on this error, see the [general Application Security troubleshooting section](../../../ci/pipelines/job_artifacts.md#error-message-no-files-to-upload). diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index fc2a76b808b..448250a9d63 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -189,11 +189,6 @@ container_scanning: GIT_STRATEGY: fetch ``` -WARNING: -GitLab 13.0 and later doesn't support [`only` and `except`](../../../ci/yaml/index.md#only--except). -When overriding the template, you must use [`rules`](../../../ci/yaml/index.md#rules) -instead. - ### Change scanners The container-scanning analyzer can use different scanners, depending on the value of the diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 918d9c515aa..616d2f8c790 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -33,16 +33,17 @@ GitLab uses the following tools to scan and report known vulnerabilities found i | Secure scanning tool | Description | |:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------| -| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. | -| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. | -| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | -| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | -| [DAST API](dast_api/index.md) **(ULTIMATE)** | Analyze running web APIs for known vulnerabilities. | -| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. | -| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. | -| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. | -| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. | -| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | +| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. | +| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. | +| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | +| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | +| [DAST API](dast_api/index.md) **(ULTIMATE)** | Analyze running web APIs for known vulnerabilities. | +| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. | +| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. | +| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. | +| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. | +| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | +| [Cluster Image Scanning](cluster_image_scanning/index.md) **(ULTIMATE)** | Scan Kubernetes clusters for known vulnerabilities. | ## Security scanning with Auto DevOps diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 4805c2a7a50..5f5ad7aa0b6 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -390,7 +390,7 @@ For information on this, see the [general Application Security troubleshooting s ### Error: `Couldn't run the gitleaks command: exit status 2` If a pipeline is triggered from a Merge Request containing 60 commits while the `GIT_DEPTH` variable -is set to 50 (a [project default](../../../ci/pipelines/settings.md#git-shallow-clone)), +is set to 50 (a [project default](../../../ci/pipelines/settings.md#limit-the-number-of-changes-fetched-during-clone)), the Secret Detection job fails as the clone is not deep enough to contain all of the relevant commits. diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md index 3c12321ee25..806bc03e30e 100644 --- a/doc/user/application_security/security_dashboard/index.md +++ b/doc/user/application_security/security_dashboard/index.md @@ -33,6 +33,7 @@ The security dashboard and vulnerability report displays information about vulne - [Dynamic Application Security Testing](../dast/index.md) - [Dependency Scanning](../dependency_scanning/index.md) - [Static Application Security Testing](../sast/index.md) +- [Cluster Image Scanning](../cluster_image_scanning/index.md) - And [others](../index.md#security-scanning-tools)! ## Prerequisites diff --git a/doc/user/application_security/terminology/index.md b/doc/user/application_security/terminology/index.md index ce30accfb4d..c96497e9233 100644 --- a/doc/user/application_security/terminology/index.md +++ b/doc/user/application_security/terminology/index.md @@ -118,6 +118,7 @@ The type of scan. This must be one of the following: - `dependency_scanning` - `dast` - `sast` +- `cluster_image_scanning` ### Scanner diff --git a/doc/user/discussions/img/discussion_lock_system_notes.png b/doc/user/discussions/img/discussion_lock_system_notes.png Binary files differdeleted file mode 100644 index 44a47e3f097..00000000000 --- a/doc/user/discussions/img/discussion_lock_system_notes.png +++ /dev/null diff --git a/doc/user/discussions/img/image_resolved_discussion.png b/doc/user/discussions/img/image_resolved_discussion.png Binary files differdeleted file mode 100644 index f6e5a3b66ae..00000000000 --- a/doc/user/discussions/img/image_resolved_discussion.png +++ /dev/null diff --git a/doc/user/discussions/img/lock_form_member.png b/doc/user/discussions/img/lock_form_member.png Binary files differdeleted file mode 100644 index 7bfcb4faae6..00000000000 --- a/doc/user/discussions/img/lock_form_member.png +++ /dev/null diff --git a/doc/user/discussions/img/lock_form_non_member.png b/doc/user/discussions/img/lock_form_non_member.png Binary files differdeleted file mode 100644 index 59e5fd89499..00000000000 --- a/doc/user/discussions/img/lock_form_non_member.png +++ /dev/null diff --git a/doc/user/discussions/img/onion_skin_view.png b/doc/user/discussions/img/onion_skin_view.png Binary files differdeleted file mode 100644 index 81bb4a2c85a..00000000000 --- a/doc/user/discussions/img/onion_skin_view.png +++ /dev/null diff --git a/doc/user/discussions/img/quickly_assign_commenter_v13_1.png b/doc/user/discussions/img/quickly_assign_commenter_v13_1.png Binary files differindex 7f8ce62fe88..aa8f65ef6c4 100644 --- a/doc/user/discussions/img/quickly_assign_commenter_v13_1.png +++ b/doc/user/discussions/img/quickly_assign_commenter_v13_1.png diff --git a/doc/user/discussions/img/start_image_discussion.gif b/doc/user/discussions/img/start_image_discussion.gif Binary files differindex 43efbf2fbb2..18b2a4701cc 100644 --- a/doc/user/discussions/img/start_image_discussion.gif +++ b/doc/user/discussions/img/start_image_discussion.gif diff --git a/doc/user/discussions/img/swipe_view.png b/doc/user/discussions/img/swipe_view.png Binary files differdeleted file mode 100644 index e6f5e5053af..00000000000 --- a/doc/user/discussions/img/swipe_view.png +++ /dev/null diff --git a/doc/user/discussions/img/turn_off_lock.png b/doc/user/discussions/img/turn_off_lock.png Binary files differdeleted file mode 100644 index aae1def6f72..00000000000 --- a/doc/user/discussions/img/turn_off_lock.png +++ /dev/null diff --git a/doc/user/discussions/img/turn_on_lock.png b/doc/user/discussions/img/turn_on_lock.png Binary files differdeleted file mode 100644 index f36ffc8831b..00000000000 --- a/doc/user/discussions/img/turn_on_lock.png +++ /dev/null diff --git a/doc/user/discussions/img/two_up_view.png b/doc/user/discussions/img/two_up_view.png Binary files differdeleted file mode 100644 index 3b6ddfbe1be..00000000000 --- a/doc/user/discussions/img/two_up_view.png +++ /dev/null diff --git a/doc/user/discussions/index.md b/doc/user/discussions/index.md index 670a7602e36..12aa4f6c775 100644 --- a/doc/user/discussions/index.md +++ b/doc/user/discussions/index.md @@ -220,75 +220,36 @@ WARNING: Threads created this way are lost if the commit ID changes after a force push. -## Image threads +## Add a comment to an image -Sometimes a thread is revolved around an image. With image threads, -you can easily target a specific coordinate of an image and start a thread -around it. Image threads are available in merge requests and commit detail views. +In merge requests and commit detail views, you can add a comment to an image. +This comment can also be a thread. -To start an image thread, hover your mouse over the image. Your mouse pointer -should convert into an icon, indicating that the image is available for commenting. -Simply click anywhere on the image to create a new thread. +1. Hover your mouse over the image. +1. Select the location where you want to comment. - - -After you select the image, a comment form is displayed that would be the start -of your thread. After you save your comment, a new badge is displayed on -top of your image. This badge represents your thread. - -NOTE: -This thread badge is typically associated with a number that is only used as a visual -reference for each thread. In the merge request thread tab, -this badge is indicated with a comment icon, because each thread renders a new -image section. - -Image threads also work on diffs that replace an existing image. In this diff view -mode, you can toggle the different view modes and still see the thread point badges. - -| 2-up | Swipe | Onion Skin | -|:-----------:|:----------:|:----------:| -|  |  |  | - -Image threads also work well with resolvable threads. Resolved threads -on diffs (not on the merge request discussion tab) appear collapsed on page -load and have a corresponding badge counter to match the counter on the image. - - +An icon is displayed on the image and a comment field is displayed. -## Lock discussions - -For large projects with many contributors, it may be useful to stop threads -in issues or merge requests in these scenarios: - -- The project maintainer has already resolved the thread and it is not helpful - for continued feedback. -- The project maintainer has already directed new conversation - to newer issues or merge requests. -- The people participating in the thread are trolling, abusive, or otherwise - being unproductive. + -In these cases, a user with Developer permissions or higher in the project can lock (and unlock) -an issue or a merge request, using the "Lock" section in the sidebar. For issues, -a user with Reporter permissions can lock (and unlock). +## Prevent comments by locking an issue -| Unlock | Lock | -| :-----------: | :----------: | -|  |  | +You can prevent public comments in an issue or merge request. +When you do, only project members can add and edit comments. -System notes indicate locking and unlocking. +Prerequisite: - +- In merge requests, you must have the Developer role or higher. +- In issues, you must have the Reporter role or higher. -In a locked issue or merge request, only team members can add new comments and -edit existing comments. Non-team members are restricted from adding or editing comments. +1. On the right sidebar, next to **Lock issue** or **Lock merge request**, select **Edit**. +1. On the confirmation dialog, select **Lock**. -| Team member | Non-team member | -| :-----------: | :----------: | -|  |  | +Notes are added to the page details. -Additionally, locked issues and merge requests can't be reopened. +If an issue or merge request is locked and closed, you cannot reopen it. -## Confidential Comments +## Mark a comment as confidential > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207473) in GitLab 13.9. > - [Deployed behind a feature flag](../feature_flags.md), disabled by default. @@ -299,30 +260,30 @@ Additionally, locked issues and merge requests can't be reopened. WARNING: This feature might not be available to you. Check the **version history** note above for details. -When creating a comment, you can make it visible only to the project members (users with Reporter and higher permissions). +You can make a comment confidential, so that it is visible only to project members +who have the Reporter role or higher. -To create a confidential comment, select the **Make this comment confidential** check box before you submit it. +1. Below the comment, select the **Make this comment confidential** checkbox. +1. Select **Comment**.  -## Filtering notes +## Show only comments > - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/26723) in GitLab 11.5. -For issues with many comments like activity notes and user comments, sometimes -finding useful information can be hard. There is a way to filter comments from single notes and threads for merge requests and issues. - -From a merge request's **Discussion** tab, or from an epic/issue overview, find the filter's dropdown menu on the right side of the page, from which you can choose one of the following options: +For issues and merge requests with many comments, you can filter the page to show comments only. -- **Show all activity**: displays all user comments and system notes - (issue updates, mentions from other issues, changes to the description, etc). -- **Show comments only**: only displays user comments in the list. -- **Show history only**: only displays activity notes. +1. Open a merge request's **Discussion** tab, or epic or issue's **Overview** tab. +1. On the right side of the page, select from the filter: + - **Show all activity**: Display all user comments and system notes + (issue updates, mentions from other issues, changes to the description, and so on). + - **Show comments only**: Display only user comments. + - **Show history only**: Display only activity notes.  -After you select one of the filters in a given issue or merge request, GitLab saves -your preference, so that it persists when you visit the same page again +GitLab saves your preference, so it persists when you visit the same page again from any device you're logged into. ## Assign an issue to the commenting user @@ -331,15 +292,16 @@ from any device you're logged into. You can assign an issue to a user who made a comment. -In the comment, select the **More Actions** menu, and then select **Assign to commenting user**. - -Select the button again to unassign the commenter. +1. In the comment, select the **More Actions** menu. +1. Select **Assign to commenting user**.  -## Enable or disable Confidential Comments **(FREE SELF)** +Select the button again to unassign the commenter. + +## Enable or disable confidential comments **(FREE SELF)** -Confidential Comments is under development and not ready for production use. It is +Confidential comments are under development and not ready for production use. The feature is deployed behind a feature flag that is **disabled by default**. [GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) can enable it. diff --git a/doc/user/project/issue_board.md b/doc/user/project/issue_board.md index f4e4b6cf010..a32a8ed8ec7 100644 --- a/doc/user/project/issue_board.md +++ b/doc/user/project/issue_board.md @@ -426,7 +426,7 @@ To set a WIP limit for a list: 1. Enter the maximum number of issues. 1. Press <kbd>Enter</kbd> to save. -## Blocked issues +## Blocked issues **(PREMIUM)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/34723) in GitLab 12.8. > - [View blocking issues when hovering over blocked icon](https://gitlab.com/gitlab-org/gitlab/-/issues/210452) in GitLab 13.10. diff --git a/doc/user/project/issues/issue_data_and_actions.md b/doc/user/project/issues/issue_data_and_actions.md index 1c25ea9283b..2ef12cd1240 100644 --- a/doc/user/project/issues/issue_data_and_actions.md +++ b/doc/user/project/issues/issue_data_and_actions.md @@ -151,7 +151,7 @@ cannot access the issue, and it is not listed in the project's issue boards nor ### Lock issue -You can [lock the threads](../../discussions/index.md#lock-discussions) in the issue, +You can [lock the issue](../../discussions/index.md#prevent-comments-by-locking-an-issue) to prevent further comments from being added. ### Participants diff --git a/doc/user/project/issues/sorting_issue_lists.md b/doc/user/project/issues/sorting_issue_lists.md index 97a790c2527..2681a39aeb6 100644 --- a/doc/user/project/issues/sorting_issue_lists.md +++ b/doc/user/project/issues/sorting_issue_lists.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w You can sort a list of issues several ways, including by: -- Blocking +- Blocking **(PREMIUM)** - Created date - Due date - Label priority @@ -51,7 +51,7 @@ This ordering also affects [issue boards](../issue_board.md#how-gitlab-orders-is Changing the order in an issue list changes the ordering in an issue board, and vice versa. -## Sorting by blocking issues +## Sorting by blocking issues **(PREMIUM)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/34247/) in GitLab 13.7. diff --git a/lib/api/commit_statuses.rb b/lib/api/commit_statuses.rb index 27fee7fdea2..1785362656e 100644 --- a/lib/api/commit_statuses.rb +++ b/lib/api/commit_statuses.rb @@ -99,40 +99,26 @@ module API updatable_optional_attributes = %w[target_url description coverage] status.assign_attributes(attributes_for_keys(updatable_optional_attributes)) - if status.valid? - status.update_older_statuses_retried! if Feature.enabled?(:ci_fix_commit_status_retried, user_project, default_enabled: :yaml) - else - render_validation_error!(status) - end + render_validation_error!(status) unless status.valid? - begin - case params[:state] - when 'pending' - status.enqueue! - when 'running' - status.enqueue - status.run! - when 'success' - status.success! - when 'failed' - status.drop!(:api_failure) - when 'canceled' - status.cancel! - else - render_api_error!('invalid state', 400) - end + response = ::Ci::Pipelines::AddJobService.new(pipeline).execute!(status) do |job| + apply_job_state!(job) + rescue ::StateMachines::InvalidTransition => e + render_api_error!(e.message, 400) + end - if pipeline.latest? - MergeRequest.where(source_project: user_project, source_branch: ref) - .update_all(head_pipeline_id: pipeline.id) - end + render_validation_error!(response.payload[:job]) unless response.success? - present status, with: Entities::CommitStatus - rescue StateMachines::InvalidTransition => e - render_api_error!(e.message, 400) + if pipeline.latest? + MergeRequest + .where(source_project: user_project, source_branch: ref) + .update_all(head_pipeline_id: pipeline.id) end + + present response.payload[:job], with: Entities::CommitStatus end # rubocop: enable CodeReuse/ActiveRecord + helpers do def commit strong_memoize(:commit) do @@ -146,6 +132,24 @@ module API pipelines = pipelines.for_id(params[:pipeline_id]) if params[:pipeline_id] pipelines end + + def apply_job_state!(job) + case params[:state] + when 'pending' + job.enqueue! + when 'running' + job.enqueue + job.run! + when 'success' + job.success! + when 'failed' + job.drop!(:api_failure) + when 'canceled' + job.cancel! + else + render_api_error!('invalid state', 400) + end + end end end end diff --git a/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml new file mode 100644 index 00000000000..f4f066cc7c2 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/Cluster-Image-Scanning.gitlab-ci.yml @@ -0,0 +1,34 @@ +# Use this template to enable cluster image scanning in your project. +# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:` +# keyword. +# The template should work without modifications but you can customize the template settings if +# needed: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#customize-the-container-scanning-settings +# +# Requirements: +# - A `test` stage to be present in the pipeline. +# - You must define the `CIS_KUBECONFIG` variable to allow analyzer to connect to your Kubernetes cluster and fetch found vulnerabilities. +# +# Configure container scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/README.html). +# List of available variables: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#available-variables + +variables: + CIS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning:0 + +cluster_image_scanning: + image: "$CIS_ANALYZER_IMAGE" + stage: test + allow_failure: true + artifacts: + reports: + cluster_image_scanning: gl-cluster-image-scanning-report.json + paths: [gl-cluster-image-scanning-report.json] + dependencies: [] + script: + - /analyzer run + rules: + - if: $CLUSTER_IMAGE_SCANNING_DISABLED + when: never + - if: '($KUBECONFIG == null || $KUBECONFIG == "") && ($CIS_KUBECONFIG == null || $CIS_KUBECONFIG == "")' + when: never + - if: $CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bcluster_image_scanning\b/ diff --git a/lib/gitlab/database/load_balancing/load_balancer.rb b/lib/gitlab/database/load_balancing/load_balancer.rb index b5960476759..a5d67ebc050 100644 --- a/lib/gitlab/database/load_balancing/load_balancer.rb +++ b/lib/gitlab/database/load_balancing/load_balancer.rb @@ -147,16 +147,6 @@ module Gitlab raise 'Failed to determine the write location of the primary database' end - # FF disabled: Returns true if all hosts have caught up to the given transaction write location. - # FF enabled: Returns true if there was at least one host that has caught up with the given transaction and sets it. - def all_caught_up?(location) - if ::Feature.enabled?(:load_balancing_improved_caught_up_hosts_check) - select_up_to_date_host(location) - else - @host_list.hosts.all? { |host| host.caught_up?(location) } - end - end - # Returns true if there was at least one host that has caught up with the given transaction. # # In case of a retry, this method also stores the set of hosts that have caught up. diff --git a/lib/gitlab/database/load_balancing/sticking.rb b/lib/gitlab/database/load_balancing/sticking.rb index 1223225ef5b..8e1aa079216 100644 --- a/lib/gitlab/database/load_balancing/sticking.rb +++ b/lib/gitlab/database/load_balancing/sticking.rb @@ -33,10 +33,10 @@ module Gitlab return true unless location - load_balancer.all_caught_up?(location).tap do |caught_up| - ActiveSupport::Notifications.instrument('caught_up_replica_pick.load_balancing', { result: caught_up } ) + load_balancer.select_up_to_date_host(location).tap do |found| + ActiveSupport::Notifications.instrument('caught_up_replica_pick.load_balancing', { result: found } ) - unstick(namespace, id) if caught_up + unstick(namespace, id) if found end end diff --git a/lib/gitlab/pagination/keyset/column_order_definition.rb b/lib/gitlab/pagination/keyset/column_order_definition.rb index 0c8ec02a56b..0755af9587b 100644 --- a/lib/gitlab/pagination/keyset/column_order_definition.rb +++ b/lib/gitlab/pagination/keyset/column_order_definition.rb @@ -120,7 +120,7 @@ module Gitlab AREL_ORDER_CLASSES = { Arel::Nodes::Ascending => :asc, Arel::Nodes::Descending => :desc }.freeze ALLOWED_NULLABLE_VALUES = [:not_nullable, :nulls_first, :nulls_last].freeze - attr_reader :attribute_name, :column_expression, :order_expression, :add_to_projections + attr_reader :attribute_name, :column_expression, :order_expression, :add_to_projections, :order_direction def initialize(attribute_name:, order_expression:, column_expression: nil, reversed_order_expression: nil, nullable: :not_nullable, distinct: true, order_direction: nil, add_to_projections: false) @attribute_name = attribute_name @@ -175,7 +175,7 @@ module Gitlab private - attr_reader :reversed_order_expression, :nullable, :distinct, :order_direction + attr_reader :reversed_order_expression, :nullable, :distinct def calculate_reversed_order(order_expression) unless AREL_ORDER_CLASSES.has_key?(order_expression.class) # Arel can reverse simple orders diff --git a/lib/gitlab/pagination/keyset/order.rb b/lib/gitlab/pagination/keyset/order.rb index cef3a7b291a..19d44ee69dd 100644 --- a/lib/gitlab/pagination/keyset/order.rb +++ b/lib/gitlab/pagination/keyset/order.rb @@ -139,6 +139,8 @@ module Gitlab verify_incoming_values!(values) + return use_composite_row_comparison(values) if composite_row_comparison_possible? + where_values = [] reversed_column_definitions = column_definitions.reverse @@ -187,6 +189,28 @@ module Gitlab private + def composite_row_comparison_possible? + !column_definitions.one? && + column_definitions.all?(&:not_nullable?) && + column_definitions.map(&:order_direction).uniq.one? # all columns uses the same order direction + end + + # composite row comparison works with NOT NULL columns and may use only one index scan given a proper index setup + # Example: (created_at, id) > ('2012-09-18 01:40:01+00', 15) + def use_composite_row_comparison(values) + columns = Arel::Nodes::Grouping.new(column_definitions.map(&:column_expression)) + values = Arel::Nodes::Grouping.new(column_definitions.map do |column_definition| + value = values[column_definition.attribute_name] + Arel::Nodes.build_quoted(value, column_definition.column_expression) + end) + + if column_definitions.first.ascending_order? + [columns.gt(values)] + else + [columns.lt(values)] + end + end + # Adds extra columns to the SELECT clause def apply_custom_projections(scope) additional_projections = column_definitions.select(&:add_to_projections).map do |column_definition| diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c44b4f8c29c..52229dc8749 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -21667,6 +21667,9 @@ msgstr "" msgid "NetworkPolicies|Invalid or empty policy" msgstr "" +msgid "NetworkPolicies|Invalid or unsupported policy kind" +msgstr "" + msgid "NetworkPolicies|Kubernetes error: %{error}" msgstr "" @@ -23383,6 +23386,9 @@ msgstr "" msgid "PackageRegistry|Gradle Kotlin DSL install command" msgstr "" +msgid "PackageRegistry|Helm" +msgstr "" + msgid "PackageRegistry|If you haven't already done so, you will need to add the below to your %{codeStart}.pypirc%{codeEnd} file." msgstr "" @@ -23872,6 +23878,9 @@ msgstr "" msgid "Pipeline Schedules" msgstr "" +msgid "Pipeline URL" +msgstr "" + msgid "Pipeline durations for the last 30 commits" msgstr "" @@ -25567,6 +25576,9 @@ msgstr "" msgid "ProjectService|Perform common operations on GitLab project: %{project_name}" msgstr "" +msgid "ProjectService|Run CI/CD pipelines with Buildkite." +msgstr "" + msgid "ProjectService|Run CI/CD pipelines with Drone." msgstr "" @@ -25579,6 +25591,9 @@ msgstr "" msgid "ProjectService|The build configuration ID of the TeamCity project." msgstr "" +msgid "ProjectService|The token you get after you create a Buildkite pipeline with a GitLab repository." +msgstr "" + msgid "ProjectService|To configure this integration, you should:" msgstr "" diff --git a/spec/frontend/packages/shared/utils_spec.js b/spec/frontend/packages/shared/utils_spec.js index 3ea2b78eb14..a1076b729f8 100644 --- a/spec/frontend/packages/shared/utils_spec.js +++ b/spec/frontend/packages/shared/utils_spec.js @@ -41,6 +41,7 @@ describe('Packages shared utils', () => { ${'rubygems'} | ${'RubyGems'} ${'composer'} | ${'Composer'} ${'debian'} | ${'Debian'} + ${'helm'} | ${'Helm'} ${'foo'} | ${null} `(`package type`, ({ packageType, expectedResult }) => { it(`${packageType} should show as ${expectedResult}`, () => { diff --git a/spec/frontend/packages_and_registries/settings/project/settings/__snapshots__/utils_spec.js.snap b/spec/frontend/packages_and_registries/settings/project/settings/__snapshots__/utils_spec.js.snap index 7062773b46b..cf554717127 100644 --- a/spec/frontend/packages_and_registries/settings/project/settings/__snapshots__/utils_spec.js.snap +++ b/spec/frontend/packages_and_registries/settings/project/settings/__snapshots__/utils_spec.js.snap @@ -33,6 +33,10 @@ Array [ exports[`Utils formOptionsGenerator returns an object containing keepN 1`] = ` Array [ Object { + "key": null, + "label": "", + }, + Object { "default": false, "key": "ONE_TAG", "label": "1 tag per image name", @@ -74,6 +78,10 @@ Array [ exports[`Utils formOptionsGenerator returns an object containing olderThan 1`] = ` Array [ Object { + "key": null, + "label": "", + }, + Object { "default": false, "key": "SEVEN_DAYS", "label": "7 days", diff --git a/spec/frontend/packages_and_registries/settings/project/settings/components/__snapshots__/settings_form_spec.js.snap b/spec/frontend/packages_and_registries/settings/project/settings/components/__snapshots__/settings_form_spec.js.snap index 7a52b4a5d0f..1009db46401 100644 --- a/spec/frontend/packages_and_registries/settings/project/settings/components/__snapshots__/settings_form_spec.js.snap +++ b/spec/frontend/packages_and_registries/settings/project/settings/components/__snapshots__/settings_form_spec.js.snap @@ -22,7 +22,7 @@ exports[`Settings Form Enable matches snapshot 1`] = ` exports[`Settings Form Keep N matches snapshot 1`] = ` <expiration-dropdown-stub data-testid="keep-n-dropdown" - formoptions="[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]" + formoptions="[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]" label="Keep the most recent:" name="keep-n" value="TEN_TAGS" @@ -44,7 +44,7 @@ exports[`Settings Form Keep Regex matches snapshot 1`] = ` exports[`Settings Form OlderThan matches snapshot 1`] = ` <expiration-dropdown-stub data-testid="older-than-dropdown" - formoptions="[object Object],[object Object],[object Object],[object Object]" + formoptions="[object Object],[object Object],[object Object],[object Object],[object Object]" label="Remove tags older than:" name="older-than" value="FOURTEEN_DAYS" diff --git a/spec/frontend/packages_and_registries/settings/project/settings/components/settings_form_spec.js b/spec/frontend/packages_and_registries/settings/project/settings/components/settings_form_spec.js index 9e4f61ff820..3a71af94d5a 100644 --- a/spec/frontend/packages_and_registries/settings/project/settings/components/settings_form_spec.js +++ b/spec/frontend/packages_and_registries/settings/project/settings/components/settings_form_spec.js @@ -132,9 +132,9 @@ describe('Settings Form', () => { model | finder | fieldName | type | defaultValue ${'enabled'} | ${findEnableToggle} | ${'Enable'} | ${'toggle'} | ${false} ${'cadence'} | ${findCadenceDropdown} | ${'Cadence'} | ${'dropdown'} | ${'EVERY_DAY'} - ${'keepN'} | ${findKeepNDropdown} | ${'Keep N'} | ${'dropdown'} | ${'TEN_TAGS'} + ${'keepN'} | ${findKeepNDropdown} | ${'Keep N'} | ${'dropdown'} | ${''} ${'nameRegexKeep'} | ${findKeepRegexInput} | ${'Keep Regex'} | ${'textarea'} | ${''} - ${'olderThan'} | ${findOlderThanDropdown} | ${'OlderThan'} | ${'dropdown'} | ${'NINETY_DAYS'} + ${'olderThan'} | ${findOlderThanDropdown} | ${'OlderThan'} | ${'dropdown'} | ${''} ${'nameRegex'} | ${findRemoveRegexInput} | ${'Remove regex'} | ${'textarea'} | ${''} `('$fieldName', ({ model, finder, type, defaultValue }) => { it('matches snapshot', () => { @@ -293,10 +293,10 @@ describe('Settings Form', () => { input: { cadence: 'EVERY_DAY', enabled: true, - keepN: 'TEN_TAGS', + keepN: null, nameRegex: 'asdasdssssdfdf', nameRegexKeep: 'sss', - olderThan: 'NINETY_DAYS', + olderThan: null, projectPath: 'path', }, }); diff --git a/spec/frontend/packages_and_registries/settings/project/settings/utils_spec.js b/spec/frontend/packages_and_registries/settings/project/settings/utils_spec.js index 4c81671cd46..ed126d87ae3 100644 --- a/spec/frontend/packages_and_registries/settings/project/settings/utils_spec.js +++ b/spec/frontend/packages_and_registries/settings/project/settings/utils_spec.js @@ -12,6 +12,7 @@ describe('Utils', () => { olderThanTranslationGenerator, ); expect(result).toEqual([ + { key: null, label: '' }, { variable: 1, label: '1 day' }, { variable: 2, label: '2 days' }, ]); diff --git a/spec/graphql/resolvers/issues_resolver_spec.rb b/spec/graphql/resolvers/issues_resolver_spec.rb index 7c2ceb50066..9b329e961cc 100644 --- a/spec/graphql/resolvers/issues_resolver_spec.rb +++ b/spec/graphql/resolvers/issues_resolver_spec.rb @@ -290,6 +290,42 @@ RSpec.describe Resolvers::IssuesResolver do expect(resolve_issues(sort: :severity_desc).to_a).to eq([issue_high_severity, issue_low_severity, issue_no_severity]) end end + + context 'when sorting by popularity' do + let_it_be(:project) { create(:project, :public) } + let_it_be(:issue1) { create(:issue, project: project) } # has one upvote + let_it_be(:issue2) { create(:issue, project: project) } # has two upvote + let_it_be(:issue3) { create(:issue, project: project) } + let_it_be(:issue4) { create(:issue, project: project) } # has one upvote + + before do + create(:award_emoji, :upvote, awardable: issue1) + create(:award_emoji, :upvote, awardable: issue2) + create(:award_emoji, :upvote, awardable: issue2) + create(:award_emoji, :upvote, awardable: issue4) + end + + it 'sorts issues ascending (ties broken by id in desc order)' do + expect(resolve_issues(sort: :popularity_asc).to_a).to eq([issue3, issue4, issue1, issue2]) + end + + it 'sorts issues descending (ties broken by id in desc order)' do + expect(resolve_issues(sort: :popularity_desc).to_a).to eq([issue2, issue4, issue1, issue3]) + end + end + + context 'when sorting with non-stable cursors' do + %i[priority_asc priority_desc + popularity_asc popularity_desc + label_priority_asc label_priority_desc + milestone_due_asc milestone_due_desc].each do |sort_by| + it "uses offset-pagination when sorting by #{sort_by}" do + resolved = resolve_issues(sort: sort_by) + + expect(resolved).to be_a(::Gitlab::Graphql::Pagination::OffsetActiveRecordRelationConnection) + end + end + end end it 'returns issues user can see' do diff --git a/spec/lib/gitlab/database/load_balancing/load_balancer_spec.rb b/spec/lib/gitlab/database/load_balancing/load_balancer_spec.rb index 7ebf95df412..b82b8d9a311 100644 --- a/spec/lib/gitlab/database/load_balancing/load_balancer_spec.rb +++ b/spec/lib/gitlab/database/load_balancing/load_balancer_spec.rb @@ -306,38 +306,6 @@ RSpec.describe Gitlab::Database::LoadBalancing::LoadBalancer, :request_store do end end - describe '#all_caught_up?' do - it 'delegates execution to #select_up_to_date_host' do - expect(lb).to receive(:select_up_to_date_host).with('foo').and_return(true) - - expect(lb.all_caught_up?('foo')).to eq(true) - end - - context 'when :load_balancing_improved_caught_up_hosts_check FF is disabled' do - before do - stub_feature_flags(load_balancing_improved_caught_up_hosts_check: false) - end - - it 'returns true if all hosts caught up to the write location' do - expect(lb.host_list.hosts).to all(receive(:caught_up?).with('foo').and_return(true)) - - expect(lb.all_caught_up?('foo')).to eq(true) - end - - it 'returns false if a host has not yet caught up' do - expect(lb.host_list.hosts[0]).to receive(:caught_up?) - .with('foo') - .and_return(true) - - expect(lb.host_list.hosts[1]).to receive(:caught_up?) - .with('foo') - .and_return(false) - - expect(lb.all_caught_up?('foo')).to eq(false) - end - end - end - describe '#retry_with_backoff' do it 'returns the value returned by the block' do value = lb.retry_with_backoff { 10 } diff --git a/spec/lib/gitlab/database/load_balancing/sticking_spec.rb b/spec/lib/gitlab/database/load_balancing/sticking_spec.rb index f1ab923a67e..53445d73756 100644 --- a/spec/lib/gitlab/database/load_balancing/sticking_spec.rb +++ b/spec/lib/gitlab/database/load_balancing/sticking_spec.rb @@ -64,7 +64,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do .with(:user, 42) .and_return(nil) - expect(lb).not_to receive(:all_caught_up?) + expect(lb).not_to receive(:select_up_to_date_host) expect(described_class.all_caught_up?(:user, 42)).to eq(true) end @@ -72,7 +72,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do context 'when all secondaries have caught up' do before do - allow(lb).to receive(:all_caught_up?).with('foo').and_return(true) + allow(lb).to receive(:select_up_to_date_host).with('foo').and_return(true) end it 'returns true, and unsticks' do @@ -93,7 +93,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do context 'when the secondaries have not yet caught up' do before do - allow(lb).to receive(:all_caught_up?).with('foo').and_return(false) + allow(lb).to receive(:select_up_to_date_host).with('foo').and_return(false) end it 'returns false' do @@ -123,7 +123,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do .with(:user, 42) .and_return(nil) - expect(lb).not_to receive(:all_caught_up?) + expect(lb).not_to receive(:select_up_to_date_host) described_class.unstick_or_continue_sticking(:user, 42) end @@ -133,7 +133,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do .with(:user, 42) .and_return('foo') - allow(lb).to receive(:all_caught_up?).with('foo').and_return(true) + allow(lb).to receive(:select_up_to_date_host).with('foo').and_return(true) expect(described_class).to receive(:unstick).with(:user, 42) @@ -145,7 +145,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::Sticking, :redis do .with(:user, 42) .and_return('foo') - allow(lb).to receive(:all_caught_up?).with('foo').and_return(false) + allow(lb).to receive(:select_up_to_date_host).with('foo').and_return(false) expect(Gitlab::Database::LoadBalancing::Session.current) .to receive(:use_primary!) diff --git a/spec/lib/gitlab/pagination/keyset/order_spec.rb b/spec/lib/gitlab/pagination/keyset/order_spec.rb index 26f52745b54..562a9bf4460 100644 --- a/spec/lib/gitlab/pagination/keyset/order_spec.rb +++ b/spec/lib/gitlab/pagination/keyset/order_spec.rb @@ -171,6 +171,12 @@ RSpec.describe Gitlab::Pagination::Keyset::Order do end it_behaves_like 'order examples' + + it 'uses the row comparison method' do + sql = order.where_values_with_or_query({ year: 2010, month: 5, id: 1 }).to_sql + + expect(sql).to eq('(("my_table"."year", "my_table"."month", "my_table"."id") > (2010, 5, 1))') + end end context 'when ordering by nullable columns and a distinct column' do diff --git a/spec/services/ci/pipelines/add_job_service_spec.rb b/spec/services/ci/pipelines/add_job_service_spec.rb new file mode 100644 index 00000000000..a72ffbfdc87 --- /dev/null +++ b/spec/services/ci/pipelines/add_job_service_spec.rb @@ -0,0 +1,72 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Ci::Pipelines::AddJobService do + let_it_be(:pipeline) { create(:ci_pipeline) } + + let(:job) { build(:ci_build) } + + subject(:service) { described_class.new(pipeline) } + + context 'when the pipeline is not persisted' do + let(:pipeline) { build(:ci_pipeline) } + + it 'raises error' do + expect { service }.to raise_error('Pipeline must be persisted for this service to be used') + end + end + + describe '#execute!' do + subject(:execute) do + service.execute!(job) do |job| + job.save! + end + end + + it 'assigns pipeline attributes to the job' do + expect do + execute + end.to change { job.slice(:pipeline, :project, :ref) }.to( + pipeline: pipeline, project: pipeline.project, ref: pipeline.ref + ) + end + + it 'returns a service response with the job as payload' do + expect(execute).to be_success + expect(execute.payload[:job]).to eq(job) + end + + it 'calls update_older_statuses_retried!' do + expect(job).to receive(:update_older_statuses_retried!) + + execute + end + + context 'when the block raises an error' do + subject(:execute) do + service.execute!(job) do |job| + raise "this is an error" + end + end + + it 'returns a service response with the error and the job as payload' do + expect(execute).to be_error + expect(execute.payload[:job]).to eq(job) + expect(execute.message).to eq('this is an error') + end + end + + context 'when the FF ci_fix_commit_status_retried is disabled' do + before do + stub_feature_flags(ci_fix_commit_status_retried: false) + end + + it 'does not call update_older_statuses_retried!' do + expect(job).not_to receive(:update_older_statuses_retried!) + + execute + end + end + end +end |
