Merge branch 'feature/sm/33281-protected-runner-executes-jobs-on-protected-branch' into 'master'

Protected runner executes jobs on protected branch [Solution 1]

Closes #33281

See merge request !13194

8 files changed, 28 insertions, 4 deletions

diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index 8adaafe6439..ba3156154ac 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -3,6 +3,7 @@ module Ci
     include TokenAuthenticatable
     include AfterCommitQueue
     include Presentable
+    include Importable
 
     belongs_to :runner
     belongs_to :trigger_request
@@ -26,6 +27,7 @@ module Ci
 
     validates :coverage, numericality: true, allow_blank: true
     validates :ref, presence: true
+    validates :protected, inclusion: { in: [true, false], unless: :importing? }, on: :create
 
     scope :unstarted, ->() { where(runner_id: nil) }
     scope :ignore_failures, ->() { where(allow_failure: false) }
@@ -34,6 +36,7 @@ module Ci
     scope :with_expired_artifacts, ->() { with_artifacts.where('artifacts_expire_at < ?', Time.now) }
     scope :last_month, ->() { where('created_at > ?', Date.today - 1.month) }
     scope :manual_actions, ->() { where(when: :manual, status: COMPLETED_STATUSES + [:manual]) }
+    scope :ref_protected, -> { where(protected: true) }
 
     mount_uploader :artifacts_file, ArtifactUploader
     mount_uploader :artifacts_metadata, ArtifactUploader
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index 2d40f8012a3..ca9a350ea79 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -36,6 +36,7 @@ module Ci
     validates :sha, presence: { unless: :importing? }
     validates :ref, presence: { unless: :importing? }
     validates :status, presence: { unless: :importing? }
+    validates :protected, inclusion: { in: [true, false], unless: :importing? }, on: :create
     validate :valid_commit_sha, unless: :importing?
 
     after_create :keep_around_commits, unless: :importing?
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index 906a76ec560..b1798084787 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -5,7 +5,7 @@ module Ci
     RUNNER_QUEUE_EXPIRY_TIME = 60.minutes
     ONLINE_CONTACT_TIMEOUT = 1.hour
     AVAILABLE_SCOPES = %w[specific shared active paused online].freeze
-    FORM_EDITABLE = %i[description tag_list active run_untagged locked].freeze
+    FORM_EDITABLE = %i[description tag_list active run_untagged locked access_level].freeze
 
     has_many :builds
     has_many :runner_projects, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
@@ -35,11 +35,17 @@ module Ci
     end
 
     validate :tag_constraints
+    validates :access_level, presence: true
 
     acts_as_taggable
 
     after_destroy :cleanup_runner_queue
 
+    enum access_level: {
+      not_protected: 0,
+      ref_protected: 1
+    }
+
     # Searches for runners matching the given query.
     #
     # This method uses ILIKE on PostgreSQL and LIKE on MySQL.
@@ -106,6 +112,8 @@ module Ci
     end
 
     def can_pick?(build)
+      return false if self.ref_protected? && !build.protected?
+
       assignable_for?(build.project) && accepting_tags?(build)
     end
 
diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb
index de2cd7e87be..414c01b2546 100644
--- a/app/services/ci/create_pipeline_service.rb
+++ b/app/services/ci/create_pipeline_service.rb
@@ -12,7 +12,8 @@ module Ci
         tag: tag?,
         trigger_requests: Array(trigger_request),
         user: current_user,
-        pipeline_schedule: schedule
+        pipeline_schedule: schedule,
+        protected: project.protected_for?(ref)
       )
 
       result = validate(current_user,
diff --git a/app/services/ci/register_job_service.rb b/app/services/ci/register_job_service.rb
index 414f672cc6a..b8db709211a 100644
--- a/app/services/ci/register_job_service.rb
+++ b/app/services/ci/register_job_service.rb
@@ -77,7 +77,9 @@ module Ci
     end
 
     def new_builds
-      Ci::Build.pending.unstarted
+      builds = Ci::Build.pending.unstarted
+      builds = builds.ref_protected if runner.ref_protected?
+      builds
     end
 
     def shared_runner_build_limits_feature_enabled?
diff --git a/app/services/ci/retry_build_service.rb b/app/services/ci/retry_build_service.rb
index ea3b8d66ed9..d67b9f5cc56 100644
--- a/app/services/ci/retry_build_service.rb
+++ b/app/services/ci/retry_build_service.rb
@@ -3,7 +3,7 @@ module Ci
     CLONE_ACCESSORS = %i[pipeline project ref tag options commands name
                          allow_failure stage_id stage stage_idx trigger_request
                          yaml_variables when environment coverage_regex
-                         description tag_list].freeze
+                         description tag_list protected].freeze
 
     def execute(build)
       reprocess!(build).tap do |new_build|
diff --git a/app/views/projects/runners/_form.html.haml b/app/views/projects/runners/_form.html.haml
index 2ef1f98ba48..ac8e15a48b2 100644
--- a/app/views/projects/runners/_form.html.haml
+++ b/app/views/projects/runners/_form.html.haml
@@ -7,6 +7,12 @@
         = f.check_box :active
         %span.light Paused Runners don't accept new jobs
   .form-group
+    = label :protected, "Protected", class: 'control-label'
+    .col-sm-10
+      .checkbox
+        = f.check_box :access_level, {}, 'ref_protected', 'not_protected'
+        %span.light This runner will only run on pipelines trigged on protected branches
+  .form-group
     = label :run_untagged, 'Run untagged jobs', class: 'control-label'
     .col-sm-10
       .checkbox
diff --git a/app/views/projects/runners/show.html.haml b/app/views/projects/runners/show.html.haml
index 49415ba557b..dfab04aa1fb 100644
--- a/app/views/projects/runners/show.html.haml
+++ b/app/views/projects/runners/show.html.haml
@@ -20,6 +20,9 @@
       %td Active
       %td= @runner.active? ? 'Yes' : 'No'
     %tr
+      %td Protected
+      %td= @runner.ref_protected? ? 'Yes' : 'No'
+    %tr
       %td Can run untagged jobs
       %td= @runner.run_untagged? ? 'Yes' : 'No'
     %tr