Add latest changes from gitlab-org/gitlab@master

8 files changed, 93 insertions, 27 deletions

diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index b9823bd4a07..0a910d6b125 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -42,7 +42,7 @@ module Ci
 
     sha_attribute :source_sha
     sha_attribute :target_sha
-    partitionable scope: ->(_) { Ci::Pipeline.current_partition_value }
+    partitionable scope: ->(pipeline) { Ci::Pipeline.current_partition_value(pipeline.project) }
     # Ci::CreatePipelineService returns Ci::Pipeline so this is the only place
     # where we can pass additional information from the service. This accessor
     # is used for storing the processed metadata for linting purposes.
@@ -588,8 +588,14 @@ module Ci
       @auto_devops_pipelines_completed_total ||= Gitlab::Metrics.counter(:auto_devops_pipelines_completed_total, 'Number of completed auto devops pipelines')
     end
 
-    def self.current_partition_value
-      INITIAL_PARTITION_VALUE
+    def self.current_partition_value(project = nil)
+      Gitlab::SafeRequestStore.fetch(:ci_current_partition_value) do
+        if Feature.enabled?(:ci_current_partition_value_101, project)
+          NEXT_PARTITION_VALUE
+        else
+          INITIAL_PARTITION_VALUE
+        end
+      end
     end
 
     def self.object_hierarchy(relation, options = {})
diff --git a/config/feature_flags/development/ci_current_partition_value_101.yml b/config/feature_flags/development/ci_current_partition_value_101.yml
new file mode 100644
index 00000000000..23a4914d759
--- /dev/null
+++ b/config/feature_flags/development/ci_current_partition_value_101.yml
@@ -0,0 +1,8 @@
+---
+name: ci_current_partition_value_101
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136425
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/431461
+milestone: '16.7'
+type: development
+group: group::pipeline execution
+default_enabled: false
diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md
index 0e9a6ea1d72..d73cb73f0ac 100644
--- a/doc/user/application_security/policies/scan-result-policies.md
+++ b/doc/user/application_security/policies/scan-result-policies.md
@@ -199,7 +199,7 @@ The settings set in the policy overwrite settings in the project.
 | `prevent_approval_by_commit_author` | `boolean` | false    | `true`, `false` | `Any merge request`  | When enabled, users who have contributed code to the MR are ineligible for approval. This ensures code committers cannot introduce vulnerabilities and approve code to merge. |
 | `remove_approvals_with_new_commit`  | `boolean` | false    | `true`, `false` | `Any merge request`  | When enabled, if an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required. This ensures new commits that may include vulnerabilities cannot be introduced. |
 | `require_password_to_approve`       | `boolean` | false    | `true`, `false` | `Any merge request`  | When enabled, there will be password confirmation on approvals. Password confirmation adds an extra layer of security. |
-| `prevent_pushing_and_force_pushing` | `boolean` | false    | `true`, `false` | All                  | When enabled, prevents users from pushing and force pushing to a protected branch. This ensures users do not bypass the merge request process to add vulnerable code to a branch. |
+| `prevent_pushing_and_force_pushing` | `boolean` | false    | `true`, `false` | All                  | When enabled, prevents users from pushing and force pushing to a protected branch if that branch is included in the security policy. This ensures users do not bypass the merge request process to add vulnerable code to a branch. |
 
 ## Example security scan result policies project
 
diff --git a/lib/gitlab/ci/pipeline/chain/assign_partition.rb b/lib/gitlab/ci/pipeline/chain/assign_partition.rb
index 4b8efe13d44..0740226ac9b 100644
--- a/lib/gitlab/ci/pipeline/chain/assign_partition.rb
+++ b/lib/gitlab/ci/pipeline/chain/assign_partition.rb
@@ -21,7 +21,7 @@ module Gitlab
             if @command.creates_child_pipeline?
               @command.parent_pipeline_partition_id
             else
-              ::Ci::Pipeline.current_partition_value
+              ::Ci::Pipeline.current_partition_value(project)
             end
           end
         end
diff --git a/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb b/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb
index 69a69091b5c..de6319582cb 100644
--- a/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb
+++ b/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb
@@ -12,6 +12,13 @@ module Gitlab
           partition_for(active_partition.value + 1)
         end
 
+        def missing_partitions
+          partitions = []
+          partitions << initial_partition if no_partitions_exist?
+          partitions << next_partition if next_partition_if.call(active_partition)
+          partitions
+        end
+
         def validate_and_fix; end
 
         def after_adding_partitions; end
@@ -20,6 +27,10 @@ module Gitlab
           []
         end
 
+        def active_partition
+          super || initial_partition
+        end
+
         private
 
         def ensure_partitioning_column_ignored_or_readonly!; end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 3b8701619a7..751c7977f92 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42263,9 +42263,6 @@ msgstr ""
 msgid "ScanResultPolicy|Fix available is only applicable to container and dependency scanning"
 msgstr ""
 
-msgid "ScanResultPolicy|If an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required. This ensures new commits that may include vulnerabilities cannot be introduced."
-msgstr ""
-
 msgid "ScanResultPolicy|If selected, the following choices will overwrite %{linkStart}project settings%{linkEnd} but only affect the branches selected in the policy."
 msgstr ""
 
@@ -42317,15 +42314,9 @@ msgstr ""
 msgid "ScanResultPolicy|Override project approval settings"
 msgstr ""
 
-msgid "ScanResultPolicy|Password confirmation on approvals provides an additional level of security. Enabling this enforces the setting on all projects targeted by this policy."
-msgstr ""
-
 msgid "ScanResultPolicy|Pre-existing"
 msgstr ""
 
-msgid "ScanResultPolicy|Prevent a user from removing a branch from the protected branches list or from deleting a protected branch."
-msgstr ""
-
 msgid "ScanResultPolicy|Prevent approval by commit author"
 msgstr ""
 
@@ -42338,9 +42329,6 @@ msgstr ""
 msgid "ScanResultPolicy|Prevent pushing and force pushing"
 msgstr ""
 
-msgid "ScanResultPolicy|Prevent pushing and force pushing to a protected branch."
-msgstr ""
-
 msgid "ScanResultPolicy|Protected branch settings"
 msgstr ""
 
@@ -42371,15 +42359,9 @@ msgstr ""
 msgid "ScanResultPolicy|Status is:"
 msgstr ""
 
-msgid "ScanResultPolicy|The merge request author cannot approve their own merge request."
-msgstr ""
-
 msgid "ScanResultPolicy|Unknown"
 msgstr ""
 
-msgid "ScanResultPolicy|Users who have contributed code to the MR are ineligible for approval, ensuring code committers cannot introduce vulnerabilities and approve code to merge."
-msgstr ""
-
 msgid "ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} %{branchExceptions} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:"
 msgstr ""
 
@@ -42392,6 +42374,24 @@ msgstr ""
 msgid "ScanResultPolicy|When %{scanners} find scanner specified conditions in an open merge request targeting the %{branches} %{branchExceptions} and match %{boldDescription} of the following criteria"
 msgstr ""
 
+msgid "ScanResultPolicy|When enabled, if an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required."
+msgstr ""
+
+msgid "ScanResultPolicy|When enabled, merge request authors cannot approve their own MRs."
+msgstr ""
+
+msgid "ScanResultPolicy|When enabled, prevents a user from removing a branch from the protected branches list, deleting a protected branch, or changing the default branch if that branch is included in the security policy."
+msgstr ""
+
+msgid "ScanResultPolicy|When enabled, prevents pushing and force pushing to a protected branch if that branch is included in the security policy."
+msgstr ""
+
+msgid "ScanResultPolicy|When enabled, there will be password confirmation on approvals."
+msgstr ""
+
+msgid "ScanResultPolicy|When enabled, users who have contributed code to the MR are ineligible for approval."
+msgstr ""
+
 msgid "ScanResultPolicy|You have selected any protected branch option as a condition. To better protect your project, it is recommended to enable the protect branch settings. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""
 
diff --git a/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb b/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb
index 79c2c9e32d2..337749446ed 100644
--- a/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb
+++ b/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca
   let(:connection) { ActiveRecord::Base.connection }
   let(:table_name) { :_test_gitlab_ci_partitioned_test }
   let(:model) { class_double(ApplicationRecord, table_name: table_name, connection: connection) }
-  let(:next_partition_if) { nil }
-  let(:detach_partition_if) { nil }
+  let(:next_partition_if) { ->(_) { false } }
+  let(:detach_partition_if) { ->(_) { false } }
 
   subject(:strategy) do
     described_class.new(model, :partition,
@@ -62,6 +62,16 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca
     it 'is the partition with the largest value' do
       expect(strategy.active_partition.value).to eq(101)
     end
+
+    context 'when there are no partitions' do
+      before do
+        drop_partitions
+      end
+
+      it 'is the initial partition' do
+        expect(strategy.active_partition.value).to eq(100)
+      end
+    end
   end
 
   describe '#missing_partitions' do
@@ -74,6 +84,17 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca
         expect(extra.length).to eq(1)
         expect(extra.first.value).to eq(102)
       end
+
+      context 'when there are no partitions for the table' do
+        it 'returns partitions for value 100 and 101' do
+          drop_partitions
+
+          missing_partitions = strategy.missing_partitions
+
+          expect(missing_partitions.size).to eq(2)
+          expect(missing_partitions.map(&:value)).to match_array([100, 101])
+        end
+      end
     end
 
     context 'when next_partition_if returns false' do
@@ -85,8 +106,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca
     end
 
     context 'when there are no partitions for the table' do
-      it 'returns a partition for value 1' do
-        connection.execute("drop table #{table_name}_100; drop table #{table_name}_101;")
+      it 'returns a partition for value 100' do
+        drop_partitions
 
         missing_partitions = strategy.missing_partitions
 
@@ -201,4 +222,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca
       })
     end
   end
+
+  def drop_partitions
+    connection.execute("drop table #{table_name}_100; drop table #{table_name}_101;")
+  end
 end
diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb
index 9abb97a3d09..53c4a7e24a7 100644
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@@ -5649,6 +5649,22 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category:
     end
   end
 
+  describe '.current_partition_value' do
+    subject { described_class.current_partition_value }
+
+    it { is_expected.to eq(101) }
+
+    it 'accepts an optional argument' do
+      expect(described_class.current_partition_value(build_stubbed(:project))).to eq(101)
+    end
+
+    it 'returns 100 when the flag is disabled' do
+      stub_feature_flags(ci_current_partition_value_101: false)
+
+      is_expected.to eq(100)
+    end
+  end
+
   describe '#notes=' do
     context 'when notes already exist' do
       it 'does not create duplicate notes', :aggregate_failures do