Merge branch 'ac-releases-api' into 'master'

Add first-class releases API

See merge request gitlab-org/gitlab-ce!23795

14 files changed, 814 insertions, 95 deletions

diff --git a/spec/factories/releases.rb b/spec/factories/releases.rb
index 18047c74a5d..cab6b4a811f 100644
--- a/spec/factories/releases.rb
+++ b/spec/factories/releases.rb
@@ -1,8 +1,15 @@
 FactoryBot.define do
   factory :release do
     tag "v1.1.0"
+    sha 'b83d6e391c22777fca1ed3012fce84f633d7fed0'
     name { tag }
     description "Awesome release"
     project
+    author
+
+    trait :legacy do
+      sha nil
+      author nil
+    end
   end
 end
diff --git a/spec/finders/releases_finder_spec.rb b/spec/finders/releases_finder_spec.rb
new file mode 100644
index 00000000000..32ee15134a2
--- /dev/null
+++ b/spec/finders/releases_finder_spec.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ReleasesFinder do
+  let(:user)       { create(:user) }
+  let(:project)    { create(:project, :repository) }
+  let(:repository) { project.repository }
+  let(:v1_0_0)     { create(:release, project: project, tag: 'v1.0.0') }
+  let(:v1_1_0)     { create(:release, project: project, tag: 'v1.1.0') }
+
+  subject { described_class.new(project, user)}
+
+  before do
+    v1_0_0.update_attribute(:created_at, 2.days.ago)
+    v1_1_0.update_attribute(:created_at, 1.day.ago)
+  end
+
+  describe '#execute' do
+    context 'when the user is not part of the project' do
+      it 'returns no releases' do
+        releases = subject.execute
+
+        expect(releases).to be_empty
+      end
+    end
+
+    context 'when the user is a project developer' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'sorts by creation date' do
+        releases = subject.execute
+
+        expect(releases).to be_present
+        expect(releases.size).to eq(2)
+        expect(releases).to eq([v1_1_0, v1_0_0])
+      end
+    end
+  end
+end
diff --git a/spec/fixtures/api/schemas/release.json b/spec/fixtures/api/schemas/release.json
new file mode 100644
index 00000000000..844405c3acd
--- /dev/null
+++ b/spec/fixtures/api/schemas/release.json
@@ -0,0 +1,18 @@
+{
+  "type": "object",
+  "required": ["name", "tag_name"],
+  "properties": {
+    "name": { "type": "string" },
+    "tag_name": { "type": "string" },
+    "description": { "type": "string" },
+    "description_html": { "type": "string" },
+    "created_at": { "type": "date" },
+    "commit": {
+      "oneOf": [{ "type": "null" }, { "$ref": "public_api/v4/commit/basic.json" }]
+    },
+    "author": {
+      "oneOf": [{ "type": "null" }, { "$ref": "public_api/v4/user/basic.json" }]
+    }
+  },
+  "additionalProperties": false
+}
diff --git a/spec/fixtures/api/schemas/releases.json b/spec/fixtures/api/schemas/releases.json
new file mode 100644
index 00000000000..e26215707fe
--- /dev/null
+++ b/spec/fixtures/api/schemas/releases.json
@@ -0,0 +1,4 @@
+{
+  "type": "array",
+  "items": { "$ref": "release.json" }
+}
diff --git a/spec/lib/gitlab/legacy_github_import/importer_spec.rb b/spec/lib/gitlab/legacy_github_import/importer_spec.rb
index d2df21d7bb5..6bc3792eb22 100644
--- a/spec/lib/gitlab/legacy_github_import/importer_spec.rb
+++ b/spec/lib/gitlab/legacy_github_import/importer_spec.rb
@@ -138,7 +138,7 @@ describe Gitlab::LegacyGithubImport::Importer do
 
     let(:release2) do
       double(
-        tag_name: 'v2.0.0',
+        tag_name: 'v1.1.0',
         name: 'Second release',
         body: nil,
         draft: false,
diff --git a/spec/models/release_spec.rb b/spec/models/release_spec.rb
index 51725eeacac..92ba2d82f58 100644
--- a/spec/models/release_spec.rb
+++ b/spec/models/release_spec.rb
@@ -1,7 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe Release do
-  let(:release) { create(:release) }
+  let(:user)    { create(:user) }
+  let(:project) { create(:project, :public, :repository) }
+  let(:release) { create(:release, project: project, author: user) }
 
   it { expect(release).to be_valid }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index fa47b95899a..9cb20854f6e 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -15,7 +15,7 @@ describe ProjectPolicy do
       read_project_for_iids read_issue_iid read_merge_request_iid read_label
       read_milestone read_project_snippet read_project_member read_note
       create_project create_issue create_note upload_file create_merge_request_in
-      award_emoji
+      award_emoji read_release
     ]
   end
 
@@ -38,7 +38,7 @@ describe ProjectPolicy do
       update_commit_status create_build update_build create_pipeline
       update_pipeline create_merge_request_from create_wiki push_code
       resolve_note create_container_image update_container_image
-      create_environment create_deployment
+      create_environment create_deployment create_release update_release
     ]
   end
 
@@ -48,7 +48,7 @@ describe ProjectPolicy do
       update_deployment admin_project_snippet
       admin_project_member admin_note admin_wiki admin_project
       admin_commit_status admin_build admin_container_image
-      admin_pipeline admin_environment admin_deployment add_cluster
+      admin_pipeline admin_environment admin_deployment destroy_release add_cluster
     ]
   end
 
@@ -56,7 +56,7 @@ describe ProjectPolicy do
     %i[
       download_code fork_project read_commit_status read_pipeline
       read_container_image build_download_code build_read_container_image
-      download_wiki_code
+      download_wiki_code read_release
     ]
   end
 
@@ -183,7 +183,8 @@ describe ProjectPolicy do
         :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
         :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
         :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
-        :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
+        :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
+        :destroy_release
       ]
 
       expect_disallowed(*repository_permissions)
diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
new file mode 100644
index 00000000000..a44e37f9cd5
--- /dev/null
+++ b/spec/requests/api/releases_spec.rb
@@ -0,0 +1,532 @@
+require 'spec_helper'
+
+describe API::Releases do
+  let(:project) { create(:project, :repository, :private) }
+  let(:maintainer) { create(:user) }
+  let(:reporter) { create(:user) }
+  let(:non_project_member) { create(:user) }
+  let(:commit) { create(:commit, project: project) }
+
+  before do
+    project.add_maintainer(maintainer)
+    project.add_reporter(reporter)
+
+    project.repository.add_tag(maintainer, 'v0.1', commit.id)
+    project.repository.add_tag(maintainer, 'v0.2', commit.id)
+  end
+
+  describe 'GET /projects/:id/releases' do
+    context 'when there are two releases' do
+      let!(:release_1) do
+        create(:release,
+               project: project,
+               tag: 'v0.1',
+               author: maintainer,
+               created_at: 2.days.ago)
+      end
+
+      let!(:release_2) do
+        create(:release,
+               project: project,
+               tag: 'v0.2',
+               author: maintainer,
+               created_at: 1.day.ago)
+      end
+
+      it 'returns 200 HTTP status' do
+        get api("/projects/#{project.id}/releases", maintainer)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'returns releases ordered by created_at' do
+        get api("/projects/#{project.id}/releases", maintainer)
+
+        expect(json_response.count).to eq(2)
+        expect(json_response.first['tag_name']).to eq(release_2.tag)
+        expect(json_response.second['tag_name']).to eq(release_1.tag)
+      end
+
+      it 'matches response schema' do
+        get api("/projects/#{project.id}/releases", maintainer)
+
+        expect(response).to match_response_schema('releases')
+      end
+    end
+
+    context 'when tag does not exist in git repository' do
+      let!(:release) { create(:release, project: project, tag: 'v1.1.5') }
+
+      it 'returns the tag' do
+        get api("/projects/#{project.id}/releases", maintainer)
+
+        expect(json_response.count).to eq(1)
+        expect(json_response.first['tag_name']).to eq('v1.1.5')
+        expect(release).to be_tag_missing
+      end
+    end
+
+    context 'when user is not a project member' do
+      it 'cannot find the project' do
+        get api("/projects/#{project.id}/releases", non_project_member)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'allows the request' do
+          get api("/projects/#{project.id}/releases", non_project_member)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(releases_page: false)
+      end
+
+      it 'cannot find the API' do
+        get api("/projects/#{project.id}/releases", maintainer)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'GET /projects/:id/releases/:tag_name' do
+    context 'when there is a release' do
+      let!(:release) do
+        create(:release,
+               project: project,
+               tag: 'v0.1',
+               sha: commit.id,
+               author: maintainer,
+               description: 'This is v0.1')
+      end
+
+      it 'returns 200 HTTP status' do
+        get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'returns a release entry' do
+        get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+        expect(json_response['tag_name']).to eq(release.tag)
+        expect(json_response['description']).to eq('This is v0.1')
+        expect(json_response['author']['name']).to eq(maintainer.name)
+        expect(json_response['commit']['id']).to eq(commit.id)
+      end
+
+      it 'matches response schema' do
+        get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+        expect(response).to match_response_schema('release')
+      end
+    end
+
+    context 'when specified tag is not found in the project' do
+      it 'cannot find the release entry' do
+        get api("/projects/#{project.id}/releases/non_exist_tag", maintainer)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is not a project member' do
+      let!(:release) { create(:release, tag: 'v0.1', project: project) }
+
+      it 'cannot find the project' do
+        get api("/projects/#{project.id}/releases/v0.1", non_project_member)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'allows the request' do
+          get api("/projects/#{project.id}/releases/v0.1", non_project_member)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(releases_page: false)
+      end
+
+      it 'cannot find the API' do
+        get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'POST /projects/:id/releases' do
+    let(:params) do
+      {
+        name: 'New release',
+        tag_name: 'v0.1',
+        description: 'Super nice release'
+      }
+    end
+
+    it 'accepts the request' do
+      post api("/projects/#{project.id}/releases", maintainer), params: params
+
+      expect(response).to have_gitlab_http_status(:created)
+    end
+
+    it 'creates a new release' do
+      expect do
+        post api("/projects/#{project.id}/releases", maintainer), params: params
+      end.to change { Release.count }.by(1)
+
+      expect(project.releases.last.name).to eq('New release')
+      expect(project.releases.last.tag).to eq('v0.1')
+      expect(project.releases.last.description).to eq('Super nice release')
+    end
+
+    context 'when description is empty' do
+      let(:params) do
+        {
+          name: 'New release',
+          tag_name: 'v0.1',
+          description: ''
+        }
+      end
+
+      it 'returns an error as validation failure' do
+        expect do
+          post api("/projects/#{project.id}/releases", maintainer), params: params
+        end.not_to change { Release.count }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(json_response['message'])
+          .to eq("Validation failed: Description can't be blank")
+      end
+    end
+
+    it 'matches response schema' do
+      post api("/projects/#{project.id}/releases", maintainer), params: params
+
+      expect(response).to match_response_schema('release')
+    end
+
+    it 'does not create a new tag' do
+      expect do
+        post api("/projects/#{project.id}/releases", maintainer), params: params
+      end.not_to change { Project.find_by_id(project.id).repository.tag_count }
+    end
+
+    context 'when user is a reporter' do
+      it 'forbids the request' do
+        post api("/projects/#{project.id}/releases", reporter), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is not a project member' do
+      it 'forbids the request' do
+        post api("/projects/#{project.id}/releases", non_project_member),
+             params: params
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'forbids the request' do
+          post api("/projects/#{project.id}/releases", non_project_member),
+               params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'when tag does not exist in git repository' do
+      let(:params) do
+        {
+          name: 'Android ~ Ice Cream Sandwich ~',
+          tag_name: tag_name,
+          description: 'Android 4.0–4.0.4 "Ice Cream Sandwich" is the ninth' \
+                       'version of the Android mobile operating system developed' \
+                       'by Google.',
+          ref: 'master'
+        }
+      end
+
+      let(:tag_name) { 'v4.0' }
+
+      it 'creates a new tag' do
+        expect do
+          post api("/projects/#{project.id}/releases", maintainer), params: params
+        end.to change { Project.find_by_id(project.id).repository.tag_count }.by(1)
+
+        expect(project.repository.find_tag('v4.0').dereferenced_target.id)
+          .to eq(project.repository.commit('master').id)
+      end
+
+      it 'creates a new release' do
+        expect do
+          post api("/projects/#{project.id}/releases", maintainer), params: params
+        end.to change { Release.count }.by(1)
+
+        expect(project.releases.last.name).to eq('Android ~ Ice Cream Sandwich ~')
+        expect(project.releases.last.tag).to eq('v4.0')
+        expect(project.releases.last.description).to eq(
+          'Android 4.0–4.0.4 "Ice Cream Sandwich" is the ninth' \
+          'version of the Android mobile operating system developed' \
+          'by Google.')
+      end
+
+      context 'when tag name is HEAD' do
+        let(:tag_name) { 'HEAD' }
+
+        it 'returns an error as failure on tag creation' do
+          post api("/projects/#{project.id}/releases", maintainer), params: params
+
+          expect(response).to have_gitlab_http_status(:internal_server_error)
+          expect(json_response['message']).to eq('Tag name invalid')
+        end
+      end
+
+      context 'when tag name is empty' do
+        let(:tag_name) { '' }
+
+        it 'returns an error as failure on tag creation' do
+          post api("/projects/#{project.id}/releases", maintainer), params: params
+
+          expect(response).to have_gitlab_http_status(:internal_server_error)
+          expect(json_response['message']).to eq('Tag name invalid')
+        end
+      end
+    end
+
+    context 'when release already exists' do
+      before do
+        create(:release, project: project, tag: 'v0.1', name: 'New release')
+      end
+
+      it 'returns an error as conflicted request' do
+        post api("/projects/#{project.id}/releases", maintainer), params: params
+
+        expect(response).to have_gitlab_http_status(:conflict)
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(releases_page: false)
+      end
+
+      it 'cannot find the API' do
+        post api("/projects/#{project.id}/releases", maintainer), params: params
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'PUT /projects/:id/releases/:tag_name' do
+    let(:params) { { description: 'Best release ever!' } }
+
+    let!(:release) do
+      create(:release,
+             project: project,
+             tag: 'v0.1',
+             name: 'New release',
+             description: 'Super nice release')
+    end
+
+    it 'accepts the request' do
+      put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
+    it 'updates the description' do
+      put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+      expect(project.releases.last.description).to eq('Best release ever!')
+    end
+
+    it 'does not change other attributes' do
+      put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+      expect(project.releases.last.tag).to eq('v0.1')
+      expect(project.releases.last.name).to eq('New release')
+    end
+
+    it 'matches response schema' do
+      put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+      expect(response).to match_response_schema('release')
+    end
+
+    context 'when user tries to update sha' do
+      let(:params) { { sha: 'xxx' } }
+
+      it 'does not allow the request' do
+        put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+
+    context 'when params is empty' do
+      let(:params) { {} }
+
+      it 'does not allow the request' do
+        put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+
+    context 'when there are no corresponding releases' do
+      let!(:release) { }
+
+      it 'forbids the request' do
+        put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is a reporter' do
+      it 'forbids the request' do
+        put api("/projects/#{project.id}/releases/v0.1", reporter), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is not a project member' do
+      it 'forbids the request' do
+        put api("/projects/#{project.id}/releases/v0.1", non_project_member),
+             params: params
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'forbids the request' do
+          put api("/projects/#{project.id}/releases/v0.1", non_project_member),
+               params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(releases_page: false)
+      end
+
+      it 'cannot find the API' do
+        put api("/projects/#{project.id}/releases/v0.1", non_project_member),
+          params: params
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'DELETE /projects/:id/releases/:tag_name' do
+    let!(:release) do
+      create(:release,
+             project: project,
+             tag: 'v0.1',
+             name: 'New release',
+             description: 'Super nice release')
+    end
+
+    it 'accepts the request' do
+      delete api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
+    it 'destroys the release' do
+      expect do
+        delete api("/projects/#{project.id}/releases/v0.1", maintainer)
+      end.to change { Release.count }.by(-1)
+    end
+
+    it 'does not remove a tag in repository' do
+      expect do
+        delete api("/projects/#{project.id}/releases/v0.1", maintainer)
+      end.not_to change { Project.find_by_id(project.id).repository.tag_count }
+    end
+
+    it 'matches response schema' do
+      delete api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+      expect(response).to match_response_schema('release')
+    end
+
+    context 'when there are no corresponding releases' do
+      let!(:release) { }
+
+      it 'forbids the request' do
+        delete api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is a reporter' do
+      it 'forbids the request' do
+        delete api("/projects/#{project.id}/releases/v0.1", reporter)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when user is not a project member' do
+      it 'forbids the request' do
+        delete api("/projects/#{project.id}/releases/v0.1", non_project_member)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :repository, :public) }
+
+        it 'forbids the request' do
+          delete api("/projects/#{project.id}/releases/v0.1", non_project_member)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(releases_page: false)
+      end
+
+      it 'cannot find the API' do
+        delete api("/projects/#{project.id}/releases/v0.1", non_project_member)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index 12cfac96d31..d09b6fe72b1 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -107,9 +107,12 @@ describe API::Tags do
     context 'with releases' do
       let(:description) { 'Awesome release!' }
 
-      before do
-        release = project.releases.find_or_initialize_by(tag: tag_name)
-        release.update(description: description)
+      let!(:release) do
+        create(:release,
+               :legacy,
+               project: project,
+               tag: tag_name,
+               description: description)
       end
 
       it 'returns an array of project tags with release info' do
@@ -373,7 +376,7 @@ describe API::Tags do
 
         it_behaves_like '404 response' do
           let(:request) { post api(route, current_user), params: { description: description } }
-          let(:message) { 'Tag does not exist' }
+          let(:message) { '404 Tag Not Found' }
         end
       end
 
@@ -398,10 +401,7 @@ describe API::Tags do
       end
 
       context 'on tag with existing release' do
-        before do
-          release = project.releases.find_or_initialize_by(tag: tag_name)
-          release.update(description: description)
-        end
+        let!(:release) { create(:release, :legacy, project: project, tag: tag_name, description: description) }
 
         it 'returns 409 if there is already a release' do
           post api(route, user), params: { description: description }
@@ -420,9 +420,12 @@ describe API::Tags do
 
     shared_examples_for 'repository update release' do
       context 'on tag with existing release' do
-        before do
-          release = project.releases.find_or_initialize_by(tag: tag_name)
-          release.update(description: description)
+        let!(:release) do
+          create(:release,
+                 :legacy,
+                 project: project,
+                 tag: tag_name,
+                 description: description)
         end
 
         it 'updates the release description' do
@@ -437,9 +440,9 @@ describe API::Tags do
       context 'when tag does not exist' do
         let(:tag_name) { 'unknown' }
 
-        it_behaves_like '404 response' do
+        it_behaves_like '403 response' do
           let(:request) { put api(route, current_user), params: { description: new_description } }
-          let(:message) { 'Tag does not exist' }
+          let(:message) { '403 Forbidden' }
         end
       end
 
@@ -464,9 +467,9 @@ describe API::Tags do
       end
 
       context 'when release does not exist' do
-        it_behaves_like '404 response' do
+        it_behaves_like '403 response' do
           let(:request) { put api(route, current_user), params: { description: new_description } }
-          let(:message) { 'Release does not exist' }
+          let(:message) { '403 Forbidden' }
         end
       end
     end
diff --git a/spec/services/create_release_service_spec.rb b/spec/services/create_release_service_spec.rb
deleted file mode 100644
index 1a2dd0b39ee..00000000000
--- a/spec/services/create_release_service_spec.rb
+++ /dev/null
@@ -1,39 +0,0 @@
-require 'spec_helper'
-
-describe CreateReleaseService do
-  let(:project) { create(:project, :repository) }
-  let(:user) { create(:user) }
-  let(:tag_name) { project.repository.tag_names.first }
-  let(:description) { 'Awesome release!' }
-  let(:service) { described_class.new(project, user) }
-  let(:tag) { project.repository.find_tag(tag_name) }
-  let(:sha) { tag.dereferenced_target.sha }
-
-  it 'creates a new release' do
-    result = service.execute(tag_name, description)
-    expect(result[:status]).to eq(:success)
-    release = project.releases.find_by(tag: tag_name)
-    expect(release).not_to be_nil
-    expect(release.description).to eq(description)
-    expect(release.name).to eq(tag_name)
-    expect(release.sha).to eq(sha)
-    expect(release.author).to eq(user)
-  end
-
-  it 'raises an error if the tag does not exist' do
-    result = service.execute("foobar", description)
-    expect(result[:status]).to eq(:error)
-  end
-
-  context 'there already exists a release on a tag' do
-    before do
-      service.execute(tag_name, description)
-    end
-
-    it 'raises an error and does not update the release' do
-      result = service.execute(tag_name, 'The best release!')
-      expect(result[:status]).to eq(:error)
-      expect(project.releases.find_by(tag: tag_name).description).to eq(description)
-    end
-  end
-end
diff --git a/spec/services/releases/create_service_spec.rb b/spec/services/releases/create_service_spec.rb
new file mode 100644
index 00000000000..612e9f152e7
--- /dev/null
+++ b/spec/services/releases/create_service_spec.rb
@@ -0,0 +1,72 @@
+require 'spec_helper'
+
+describe Releases::CreateService do
+  let(:project) { create(:project, :repository) }
+  let(:user) { create(:user) }
+  let(:tag_name) { project.repository.tag_names.first }
+  let(:tag_sha) { project.repository.find_tag(tag_name).dereferenced_target.sha }
+  let(:name) { 'Bionic Beaver' }
+  let(:description) { 'Awesome release!' }
+  let(:params) { { tag: tag_name, name: name, description: description, ref: ref } }
+  let(:ref) { nil }
+  let(:service) { described_class.new(project, user, params) }
+
+  before do
+    project.add_maintainer(user)
+  end
+
+  describe '#execute' do
+    shared_examples 'a successful release creation' do
+      it 'creates a new release' do
+        result = service.execute
+        expect(result[:status]).to eq(:success)
+        expect(result[:tag]).not_to be_nil
+        expect(result[:release]).not_to be_nil
+        expect(result[:release].description).to eq(description)
+        expect(result[:release].name).to eq(name)
+        expect(result[:release].author).to eq(user)
+        expect(result[:release].sha).to eq(tag_sha)
+      end
+    end
+
+    it_behaves_like 'a successful release creation'
+
+    context 'when the tag does not exist' do
+      let(:tag_name) { 'non-exist-tag' }
+
+      it 'raises an error' do
+        result = service.execute
+
+        expect(result[:status]).to eq(:error)
+      end
+    end
+
+    context 'when ref is provided' do
+      let(:ref) { 'master' }
+      let(:tag_name) { 'foobar' }
+
+      it_behaves_like 'a successful release creation'
+
+      it 'creates a tag if the tag does not exist' do
+        expect(project.repository.ref_exists?("refs/tags/#{tag_name}")).to be_falsey
+
+        result = service.execute
+        expect(result[:status]).to eq(:success)
+        expect(result[:tag]).not_to be_nil
+        expect(result[:release]).not_to be_nil
+      end
+    end
+
+    context 'there already exists a release on a tag' do
+      let!(:release) do
+        create(:release, project: project, tag: tag_name, description: description)
+      end
+
+      it 'raises an error and does not update the release' do
+        result = service.execute
+        expect(result[:status]).to eq(:error)
+        expect(project.releases.find_by(tag: tag_name).description).to eq(description)
+      end
+    end
+  end
+end
diff --git a/spec/services/releases/destroy_service_spec.rb b/spec/services/releases/destroy_service_spec.rb
new file mode 100644
index 00000000000..dd5b8708f36
--- /dev/null
+++ b/spec/services/releases/destroy_service_spec.rb
@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe Releases::DestroyService do
+  let(:project) { create(:project, :repository) }
+  let(:mainatiner) { create(:user) }
+  let(:repoter) { create(:user) }
+  let(:tag) { 'v1.1.0' }
+  let!(:release) { create(:release, project: project, tag: tag) }
+  let(:service) { described_class.new(project, user, params) }
+  let(:params) { { tag: tag } }
+  let(:user) { mainatiner }
+
+  before do
+    project.add_maintainer(mainatiner)
+    project.add_reporter(repoter)
+  end
+
+  describe '#execute' do
+    subject { service.execute }
+
+    context 'when there is a release' do
+      it 'removes the release' do
+        expect { subject }.to change { project.releases.count }.by(-1)
+      end
+
+      it 'returns the destroyed object' do
+        is_expected.to include(status: :success, release: release)
+      end
+    end
+
+    context 'when tag is not found' do
+      let(:tag) { 'v1.1.1' }
+
+      it 'returns an error' do
+        is_expected.to include(status: :error,
+                               message: 'Tag does not exist',
+                               http_status: 404)
+      end
+    end
+
+    context 'when release is not found' do
+      let!(:release) { }
+
+      it 'returns an error' do
+        is_expected.to include(status: :error,
+                               message: 'Release does not exist',
+                               http_status: 404)
+      end
+    end
+
+    context 'when user does not have permission' do
+      let(:user) { repoter }
+
+      it 'returns an error' do
+        is_expected.to include(status: :error,
+                               message: 'Access Denied',
+                               http_status: 403)
+      end
+    end
+  end
+end
diff --git a/spec/services/releases/update_service_spec.rb b/spec/services/releases/update_service_spec.rb
new file mode 100644
index 00000000000..6c68f364739
--- /dev/null
+++ b/spec/services/releases/update_service_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe Releases::UpdateService do
+  let(:project) { create(:project, :repository) }
+  let(:user) { create(:user) }
+  let(:new_name) { 'A new name' }
+  let(:new_description) { 'The best release!' }
+  let(:params) { { name: new_name, description: new_description, tag: tag_name } }
+  let(:service) { described_class.new(project, user, params) }
+  let!(:release) { create(:release, project: project, author: user, tag: tag_name) }
+  let(:tag_name) { 'v1.1.0' }
+
+  before do
+    project.add_developer(user)
+  end
+
+  describe '#execute' do
+    shared_examples 'a failed update' do
+      it 'raises an error' do
+        result = service.execute
+        expect(result[:status]).to eq(:error)
+      end
+    end
+
+    it 'successfully updates an existing release' do
+      result = service.execute
+      expect(result[:status]).to eq(:success)
+      expect(result[:release].name).to eq(new_name)
+      expect(result[:release].description).to eq(new_description)
+    end
+
+    context 'when the tag does not exists' do
+      let(:tag_name) { 'foobar' }
+
+      it_behaves_like 'a failed update'
+    end
+
+    context 'when the release does not exist' do
+      let!(:release) { }
+
+      it_behaves_like 'a failed update'
+    end
+
+    context 'with an invalid update' do
+      let(:new_description) { '' }
+
+      it_behaves_like 'a failed update'
+    end
+  end
+end
diff --git a/spec/services/update_release_service_spec.rb b/spec/services/update_release_service_spec.rb
deleted file mode 100644
index dc2d0e2d47a..00000000000
--- a/spec/services/update_release_service_spec.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-require 'spec_helper'
-
-describe UpdateReleaseService do
-  let(:project) { create(:project, :repository) }
-  let(:user) { create(:user) }
-  let(:tag_name) { project.repository.tag_names.first }
-  let(:description) { 'Awesome release!' }
-  let(:new_description) { 'The best release!' }
-  let(:service) { described_class.new(project, user) }
-
-  context 'with an existing release' do
-    let(:create_service) { CreateReleaseService.new(project, user) }
-
-    before do
-      create_service.execute(tag_name, description)
-    end
-
-    it 'successfully updates an existing release' do
-      result = service.execute(tag_name, new_description)
-      expect(result[:status]).to eq(:success)
-      expect(project.releases.find_by(tag: tag_name).description).to eq(new_description)
-    end
-  end
-
-  it 'raises an error if the tag does not exist' do
-    result = service.execute("foobar", description)
-    expect(result[:status]).to eq(:error)
-  end
-
-  it 'raises an error if the release does not exist' do
-    result = service.execute(tag_name, description)
-    expect(result[:status]).to eq(:error)
-  end
-end