diff options
Diffstat (limited to 'db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb')
-rw-r--r-- | db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb b/db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb new file mode 100644 index 00000000000..2e6ad12f928 --- /dev/null +++ b/db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +class DisableJobTokenScopeWhenUnused < Gitlab::Database::Migration[1.0] + disable_ddl_transaction! + + class ProjectCiCdSetting < ApplicationRecord + include EachBatch + + self.table_name = 'project_ci_cd_settings' + end + + module Ci + module JobToken + class ProjectScopeLink < ApplicationRecord + self.table_name = 'ci_job_token_project_scope_links' + end + end + end + + def up + # Disabling job token scope after db/migrate/20210902171808_set_default_job_token_scope_false.rb + # if users haven't configured it. + ProjectCiCdSetting.each_batch(of: 10_000) do |settings| + with_enabled_but_unused_scope(settings).each_batch(of: 500) do |settings_to_update| + settings_to_update.update_all(job_token_scope_enabled: false) + end + end + end + + def down + # irreversible data migration + + # The migration relies on the state of `job_token_scope_enabled` and + # updates it based on whether the feature is used or not. + # + # The inverse migration would be to set `job_token_scope_enabled: true` + # for those projects that have the feature disabled and unused. But there + # could be also existing cases where the feature is disabled and unused. + # For example, old projects. + end + + private + + # The presence of ProjectScopeLinks means that the job token scope + # is configured and we need to leave it enabled. Unused job token scope + # can be disabled since they weren't configured. + def with_enabled_but_unused_scope(settings) + settings + .where(job_token_scope_enabled: true) + .where.not(project_id: Ci::JobToken::ProjectScopeLink.select(:source_project_id)) + end +end |