root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-01-18 18:08:43 +00:00
parent 85f1126ea6
commit 055b4c04d5
45 changed files with 479 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue
View File

@ -263,12 +263,16 @@ export default {
'merged',
'closed',
'merging',
'autoMergeEnabled',
'shaMismatch',
].includes(this.mr.state) || ['MERGING', 'AUTO_MERGE'].includes(this.mr.machineValue)
].includes(this.mr.state) || this.mr.machineValue === 'MERGING'
)
);
},
autoMergeStateVisible() {
if (!window.gon?.features?.mergeBlockedComponent) return false;
return this.mr.state === 'autoMergeEnabled' || this.mr.machineValue === 'AUTO_MERGE';
},
},
watch: {
'mr.machineValue': {
@ -577,6 +581,12 @@ export default {
</div>
<div class="mr-widget-section" data-testid="mr-widget-content">
<mr-widget-auto-merge-enabled
v-if="autoMergeStateVisible"
:mr="mr"
:service="service"
class="gl-border-b-1 gl-border-b-solid gl-border-gray-100"
/>
<merge-checks v-if="mergeBlockedComponentEnabled" :mr="mr" :service="service" />
<component :is="componentName" v-else :mr="mr" :service="service" />
<ready-to-merge

2
app/helpers/registrations_helper.rb
View File

@ -12,7 +12,7 @@ module RegistrationsHelper
end
# overridden in EE
def oauth_tracking_label; end
def registration_tracking_label; end
# overridden in EE
def register_omniauth_params(_local_assigns)

12
app/models/ci/catalog/resources/version.rb
View File

@ -29,6 +29,7 @@ module Ci
delegate :sha, :released_at, :author_id, to: :release
before_create :sync_with_release
after_destroy :update_catalog_resource
after_save :update_catalog_resource
@ -131,8 +132,19 @@ module Ci
project.repository.tree(sha).readme
end
def sync_with_release!
sync_with_release
save!
end
private
# This column is denormalized from `releases`. It is first synced when a new version
# is created. Any updates to the column are synced via Release model callback.
def sync_with_release
self.released_at = release.released_at
end
def update_catalog_resource
catalog_resource.update_latest_released_at!
end

7
app/models/release.rb
View File

@ -25,8 +25,7 @@ class Release < ApplicationRecord
accepts_nested_attributes_for :links, allow_destroy: true
before_create :set_released_at
# TODO: Remove this callback after catalog_resource.released_at is denormalized. See https://gitlab.com/gitlab-org/gitlab/-/issues/430117.
after_update :update_catalog_resource, if: -> { project.catalog_resource && saved_change_to_released_at? }
after_update :update_catalog_resource_version, if: -> { catalog_resource_version && saved_change_to_released_at? }
after_destroy :update_catalog_resource, if: -> { project.catalog_resource }
validates :project, :tag, presence: true
@ -184,6 +183,10 @@ class Release < ApplicationRecord
end
end
def update_catalog_resource_version
catalog_resource_version.sync_with_release!
end
def update_catalog_resource
project.catalog_resource.update_latest_released_at!
end

6
app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
View File

@ -12,7 +12,7 @@
},
{
"field": "SAST_EXCLUDED_PATHS",
"label": "Excluded Paths",
"label": "Excluded paths",
"type": "string",
"default_value": "",
"value": "",
@ -32,12 +32,12 @@
},
{
"field": "SEARCH_MAX_DEPTH",
"label": "Search Maximum Depth",
"label": "Search maximum depth",
"type": "string",
"default_value": "",
"value": "",
"size": "SMALL",
"description": "Specifies the number of directory levels to be included in the repository search phase during SAST analysis. SAST scanner searches through the repository to detect the programming languages used and selects the corresponding analyzers. After that, the entire repository is analyzed."
"description": "Specifies the number of directory levels searched to identify programming languages and frameworks. This determines which analyzers to run against the entire repository."
}
],
"analyzers": [

3
app/views/devise/registrations/new.html.haml
View File

@ -14,5 +14,6 @@
= render 'devise/shared/signup_box',
url: registration_path(resource_name, registration_path_params),
button_text: _('Register'),
show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?
show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?,
tracking_label: registration_tracking_label
= render 'devise/shared/sign_in_link'

3
app/views/devise/shared/_signup_box.html.haml
View File

@ -4,4 +4,5 @@
= render 'devise/shared/signup_box_form',
button_text: button_text,
url: url,
show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?
show_omniauth_providers: omniauth_enabled? && button_based_providers_enabled?,
tracking_label: tracking_label

2
app/views/devise/shared/_signup_box_form.html.haml
View File

@ -73,7 +73,7 @@
- elsif show_recaptcha_sign_up?
= recaptcha_tags nonce: content_security_policy_nonce
= render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true, button_options: { data: { testid: 'new-user-register-button' }}) do
= render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true, button_options: { data: { testid: 'new-user-register-button', track_action: 'register', track_label: tracking_label }}) do
= button_text
= render 'devise/shared/terms_of_service_notice', button_text: button_text

2
app/views/devise/shared/_signup_omniauth_providers.haml
View File

@ -1,3 +1,3 @@
= render 'devise/shared/signup_omniauth_provider_list',
providers: enabled_button_based_providers,
tracking_label: oauth_tracking_label
tracking_label: registration_tracking_label

85
data/whats_new/202401180001_16_8.yml Normal file
View File

@ -0,0 +1,85 @@
- name: GCP Secret Manager support
description: |
Secrets stored in GCP Secrets Manager can now be easily retrieved and used in CI/CD jobs. Our new integration simplifies the process of interacting with GCP Secrets Manager through GitLab CI/CD, helping you streamline your build and deploy processes! This is just one of the many ways [GitLab and Google Cloud are better together](https://about.gitlab.com/blog/2023/08/29/gitlab-google-partnership-s3c/)!
stage: Verify
self-managed: true
gitlab-com: true
available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html
image_url: https://about.gitlab.com/images/16_8/gcp_secrets_mgr.png
published_at: 2024-01-18
release: 16.8
- name: Speed up your builds with the Maven dependency proxy
description: |
A typical software project relies on a variety of dependencies, which we call packages. Packages can be internally built and maintained, or sourced from a public repository. Based on our user research, we've learned that most projects use a 50/50 mix of public and private packages. Package installation order is very important, as using an incorrect package version can introduce breaking changes and security vulnerabilities into your pipelines.
Now you can add one external Java repository to your GitLab project. After adding it, when you install a package using the dependency proxy, GitLab first checks for the package in the project. If it's not found, GitLab then attempts to pull the package from the external repository.
When a package is pulled from the external repository, it's imported into the GitLab project. The next time that particular package is pulled, it's pulled from GitLab and not the external repository. Even if the external repository is having connectivity issues and the package is present in the dependency proxy, pulling the package still works, making your pipelines faster and more reliable.
If the package changes in the external repository (for example, a user deletes a version and publishes a new one with different files) the dependency proxy detects it. It invalidates the package, so GitLab pulls the newer one. This ensures the correct packages are downloaded, and helps reduce security vulnerabilities.
stage: Package
self-managed: true
gitlab-com: true
available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/packages/package_registry/dependency_proxy/
image_url: https://img.youtube.com/vi/9NPTXObsSrE/hqdefault.jpg
published_at: 2024-01-18
release: 16.8
- name: Workspaces are now generally available
description: |
We're thrilled to share that workspaces are now generally available and ready to improve your developer efficiency!
By creating secure, on-demand remote development environments, you can reduce the time you spend managing dependencies and onboarding new developers and focus on delivering value faster. With our platform-agnostic approach, you can use your existing cloud infrastructure to host your workspaces and keep your data private and secure.
Since their introduction in GitLab 16.0, workspaces have received improvements to error handling and reconciliation, support for private projects and SSH connections, additional configuration options, and a new administrator interface. These improvements mean that workspaces are now more flexible, more resilient, and more easily managed at scale.
stage: Create
self-managed: true
gitlab-com: true
available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/workspace/
image_url: https://about.gitlab.com/images/16_8/workspaces-ga.png
published_at: 2024-01-18
release: 16.8
- name: Enforce 2FA for GitLab administrators
description: |
You can now enforce whether GitLab administrators are required to use two-factor authentication (2FA) in their self-managed instance. It is good security practice to use 2FA for all accounts, especially for privileged accounts like administrators. If this setting is enforced, and an administrator does not already use 2FA, they must set 2FA up on their next sign-in.
stage: Govern
self-managed: true
gitlab-com: false
available_in: [Free, Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-administrator-users
image_url: https://img.youtube.com/vi/fHleeXzoB6k/hqdefault.jpg
published_at: 2024-01-18
release: 16.8
- name: Deeper insights into velocity in the Issue Analytics report
description: |
The **Issue Analytics** report now contains information on the number of closed issues in a month to allow for a detailed velocity analysis. With this valuable addition, GitLab users can now gain insights into trends associated with their projects, and improve the overall turn-around time and value delivered to their customers. The **Issue Analytics** visualization contains a bar chart with the number of issues for each month, with a default time span of 13 months. You can access this chart from the drill-down in the [Value Streams Dashboard](https://docs.gitlab.com/ee/user/analytics/value_streams_dashboard.html#dashboard-metrics-and-drill-down-reports).
stage: Plan
self-managed: true
gitlab-com: true
available_in: [Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/group/issues_analytics/index.html
image_url: https://about.gitlab.com/images/16_8/closed_issues_analytics.png
published_at: 2024-01-18
release: 16.8
- name: New organization-level DevOps view with DORA-based industry benchmarks
description: |
We added a new **DORA Performers score** panel to the [Value Streams Dashboard](https://www.youtube.com/watch?v=EA9Sbks27g4) to visualize the status of the organization's DevOps performance across different projects. This new visualization displays a breakdown of the DORA score (high, medium, or low) so that executives can understand the organization's DevOps health top to bottom.
The [four DORA metrics](https://about.gitlab.com/solutions/value-stream-management/dora/#overview) are available out-of-the-box in GitLab, and now with the new DORA scores organizations can compare their DevOps performance against [industry benchmarks](https://dora.dev/) or peers. This benchmarking helps executives understand where they stand in relation to others, and identify best practices or areas where they might be lagging behind.
To help us improve the Value Streams Dashboard, please share feedback about your experience in this [survey](https://gitlab.fra1.qualtrics.com/jfe/form/SV_50guMGNU2HhLeT4).
stage: Plan
self-managed: true
gitlab-com: true
available_in: [Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/analytics/value_streams_dashboard.html#dora-performers-score-panel
image_url: https://about.gitlab.com/images/16_8/16.8_vsd_dora.png
published_at: 2024-01-18
release: 16.8

12
doc/administration/index.md
View File

@ -9,12 +9,10 @@ description: 'Learn how to install, configure, update, and maintain your GitLab
Learn how to administer a self-managed GitLab instance.
- [Get started](../administration/get_started.md)
- [All feature flags](../user/feature_flags.md)
- [Configure your installation](../administration/configure.md)
- [Configure GitLab Dedicated](../administration/dedicated/index.md)
- [Maintain your installation](../administration/operations/index.md)
- [Secure your installation](../security/index.md)
- [Administer users](../user/profile/account/create_accounts.md)
| | | |
|--|--|--|
| [**Get started**](../administration/get_started.md) **{chevron-right}**<br><br>Administration overview. | [**All feature flags**](../user/feature_flags.md) **{chevron-right}**<br><br>Complete list of flags. | [**Authentication and authorization**](../administration/auth/index.md) **{chevron-right}**<br><br>Third-party authentication providers. |
| [**Configure your installation**](../administration/configure.md) **{chevron-right}**<br><br>Installation settings. | [**Update your Admin Area settings**](../administration/settings/index.md) **{chevron-right}**<br><br>Product settings. | [**Configure GitLab Dedicated**](../administration/dedicated/index.md) **{chevron-right}**<br><br>IP allowlists, SAML, maintenance. |
| [**Maintain your installation**](../administration/operations/index.md) **{chevron-right}**<br><br>Backup and restore, move repos, maintenance tasks. | [**Secure your application**](../user/application_security/secure_your_application.md) **{chevron-right}**<br><br>SSH key limits, 2FA, tokens, hardening. | [**Administer users**](../user/profile/account/create_accounts.md) **{chevron-right}**<br><br>Passwords, user moderation, broadcast messages. |
Only GitLab team members have access to administration tools and settings on GitLab.com.

14
doc/architecture/blueprints/permissions/index.md
View File

@ -17,7 +17,7 @@ static [role-based access control system](../../../user/permissions.md#roles).
In %15.9, we [announced](https://about.gitlab.com/blog/2023/03/08/expanding-guest-capabilities-in-gitlab-ultimate/)
a customer MVC of the custom roles feature. The MVC introduced the ability to
add one single permission (`read_code`) to a custom role based on a standard
add one single permission (`read_code`) to a custom role based on a default
GitLab Guest role. The MVC was [implemented](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106256) by
taking an existing permission from the GitLab authorization framework and
enabling it if a custom role has it set to `true`.
@ -42,7 +42,7 @@ a path for addressing them.
## What are custom roles?
Our permissions system supports 6 pre-defined roles (Guest, Reporter, Developer, Maintainer, Owner) and users are assigned to per project or group, they can't be modified. Custom roles should solve the problem that our current system is static.
Our permissions system supports six default roles (Guest, Reporter, Developer, Maintainer, Owner) and users are assigned to per project or group, they can't be modified. Custom roles should solve the problem that our current system is static.
With custom roles, customers can define their own roles and give them permissions they want to. For every role they create they can assign set of permissions. For example, a newly created role "Engineer" could have `read code` and `admin merge requests` enabled but abilities such as `admin issues` disabled.
@ -139,7 +139,7 @@ Cons:
- Maintaining 2 systems
- Each new "regular" permission added needs a parallel addition to the
custom roles system. This makes it difficult to have feature parity between
custom roles and static roles.
custom roles and default roles.
- Replacing our existing RBAC system with custom roles (an eventual goal of the
custom roles feature) is more difficult with this approach because it requires
retiring the legacy permissions system.
@ -157,16 +157,16 @@ Cons:
enable granular access.
- Each new "regular" permission added needs a parallel addition to the
bundled permissions for custom roles. This makes it difficult to have feature
parity between custom roles and static roles.
parity between custom roles and default roles.
## Glossary
- **RBAC**: Role-based access control; "a method of restricting network access based
on the roles of individual users." RBAC is the method of access control that
GitLab uses.
- **Static roles**: the 5 categories that GitLab users can be grouped into: Guest,
- **Default roles**: the 5 categories that GitLab users can be grouped into: Guest,
Reporter, Developer, Maintainer, Owner ([documentation](../../../user/permissions.md#roles)).
A static role can be thought of as a group of permissions.
A default role can be thought of as a group of permissions.
- **Declarative Policy**: [code library](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/)
used by GitLab to define our authorization logic.
- **Permissions**: a specific ability that a user with a Role has. For example, a
@ -175,7 +175,7 @@ Cons:
represents a "permission" but these may not have a 1:1 mapping with a Declarative Policy
[ability](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/doc/defining-policies.md#invocation).
An ability is how permissions are represented in the GitLab codebase.
- **Access level**: integer value representing a static role, used for determining access and calculating inherited user access in group hierarchies ([documentation](../../../api/access_requests.md#valid-access-levels)).
- **Access level**: integer value representing a default role, used for determining access and calculating inherited user access in group hierarchies ([documentation](../../../api/access_requests.md#valid-access-levels)).
## Resources

38
doc/ci/runners/index.md
View File

@ -38,6 +38,12 @@ When you use SaaS runners:
NOTE:
Jobs handled by SaaS runners on GitLab.com **time out after 3 hours**, regardless of the timeout configured in a project.
## Release cycle for SaaS runner
We aim to update to the latest version of [GitLab Runner](https://docs.gitlab.com/runner/#gitlab-runner-versions) within a week of its release.
You can find all GitLab Runner breaking changes under [Deprecations and removals](../../update/deprecations.md).
## Security for SaaS runners
GitLab SaaS runners on Linux and Windows run on Google Compute Platform.
@ -71,7 +77,7 @@ takes over the task of securely deleting the virtual machine and associated data
## Supported image lifecycle
For runners on macOS and Windows, you can only run jobs on supported images. You cannot bring your own image. Supported images have the following lifecycle:
SaaS runners on macOS and Windows can only run jobs on supported images. You cannot bring your own image. Supported images have the following lifecycle:
- Beta
- Generally Available
@ -100,33 +106,3 @@ Jobs running on GA images are covered by the defined service-level agreement. Ov
A maximum of two Generally Available (GA) images are supported at a time. After a new GA image is released,
the oldest GA image becomes deprecated. A deprecated image is no longer
updated and is deleted after 3 months in accordance with the [deprecation guidelines](../../development/deprecation_guidelines/index.md).
## Major version changes (breaking)
As GitLab CI/CD and Runner have evolved, certain breaking changes have been necessary.
For GitLab 15.0 and later, all breaking changes are documented on the following page:
- [Deprecations and removals](../../update/deprecations.md)
The breaking changes for GitLab Runner in earlier major version releases are:
- 14.0: No breaking changes.
- 13.0:
- [Remove Backported `os.Expand`](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4915).
- [Remove Fedora 29 package support](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/16158).
- [Remove macOS 32-bit support](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25466).
- [Removed `debug/jobs/list?v=1` endpoint](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6361).
- [Remove support for array of strings when defining services for Docker executor](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4922).
- [Remove `--docker-services` flag on register command](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6404).
- [Remove legacy build directory caching](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4180).
- [Remove `FF_USE_LEGACY_VOLUMES_MOUNTING_ORDER` feature flag](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6581).
- [Remove support for Windows Server 1803](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6553).
- 12.0:
- [Use `refspec` to clone/fetch Git repository](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4069).
- [Old cache configuration](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4070).
- [Old metrics server configuration](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4072).
- [Remove `FF_K8S_USE_ENTRYPOINT_OVER_COMMAND`](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4073).
- [Remove Linux distributions that reach EOL](https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1130).
- [Update command line API for helper images](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4013).
- [Remove old `git clean` flow](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4175).

10
doc/ci/runners/saas/macos_saas_runner.md
View File

@ -45,14 +45,12 @@ If no image is specified, the macOS runner uses `macos-13-xcode-14`.
## Image update policy for macOS
macOS and Xcode follow a yearly release cadence, during which GitLab increments its versions synchronously. GitLab typically supports multiple versions of preinstalled tools. For more information, see the [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain).
The images and installed components are updated with each GitLab release, to keep the preinstalled software up-to-date. GitLab typically supports multiple versions of preinstalled software. For more information, see the [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain).
When Apple releases a new macOS version, GitLab releases a new `stable` image based on the OS in the next release,
which is in Beta.
Major and minor releases of macOS and Xcode, are made available within two weeks of Apple's release.
With the release of the first patch to macOS, the `stable` image becomes Generally Available (GA). As only two GA images are supported at a time, the prior OS version becomes deprecated and is deleted after three months in accordance with the [supported image lifecycle](../index.md#supported-image-lifecycle).
The `stable` images and installed components are updated every release, to keep the preinstalled software up-to-date.
A new major release image is initially made available as Beta, and becomes Generally Available (GA) with the release of the first minor release.
Because only two GA images are supported at a time, the oldest image becomes deprecated and will be removed after three months according to the [supported image lifecycle](../index.md#supported-image-lifecycle).
## Example `.gitlab-ci.yml` file

32
doc/ci/runners/saas/windows_saas_runner.md
View File

@ -10,8 +10,7 @@ SaaS runner on Windows autoscale by launching virtual machines on
the Google Cloud Platform. This solution uses an
[autoscaling driver](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/autoscaler/-/blob/main/docs/README.md)
developed by GitLab for the [custom executor](https://docs.gitlab.com/runner/executors/custom.html).
These SaaS runners are in [Beta](../../../policy/experiment-beta-support.md#beta)
SaaS runners on Windows are in [Beta](../../../policy/experiment-beta-support.md#beta)
and aren't recommended for production workloads.
We want to keep iterating to get Windows runners in a stable state and
@ -21,27 +20,27 @@ You can follow our work towards this goal in the
## Machine types available for Windows
| Runner Tag | vCPUs | Memory | Storage |
| ---------------------- | ----- | ------ | ------- |
| `shared-windows` | 2 | 7.5 GB | 75 GB |
| Runner Tag | vCPUs | Memory | Storage |
| --------------------------- | ----- | ------ | ------- |
| `saas-windows-medium-amd64` | 2 | 7.5 GB | 75 GB |
## Supported Windows versions
The Windows runner virtual machine instances do not use the GitLab Docker executor. This means that you can't specify
[`image`](../../../ci/yaml/index.md#image) or [`services`](../../../ci/yaml/index.md#services) in your pipeline configuration.
Instead you have to select the [`tags`](../../../ci/yaml/index.md#tags) for the desired Windows version.
You can execute your job in one of the following Windows versions:
| Version tag | Status |
|----------------|---------------|
| `windows-1809` | `Beta` |
| Version | Status |
|--------------|---------------|
| Windows 2022 | `Beta` |
| Windows 2019 | `Deprecated` (Removal in 17.0) |
You can find a full list of available pre-installed software in
the [pre-installed software documentation](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/gcp/windows-containers/blob/main/cookbooks/preinstalled-software/README.md).
NOTE:
Each time you run a job that requires tooling or dependencies not available in the base image, those components must be installed to the newly provisioned VM increasing the total job duration.
We are only supporting a single version of Windows at this time.
## Supported shell
@ -53,29 +52,24 @@ The `script` section of your `.gitlab-ci.yml` file therefore requires PowerShell
Below is a sample `.gitlab-ci.yml` file that shows how to start using the runners for Windows:
```yaml
.shared_windows_runners:
.windows_job:
tags:
- shared-windows
- windows-1809
- saas-windows-medium-amd64
before_script:
- Set-Variable -Name "time" -Value (date -Format "%H:%m")
- echo ${time}
- echo "started by ${GITLAB_USER_NAME}"
stages:
- build
- test
build:
extends:
- .shared_windows_runners
- .windows_job
stage: build
script:
- echo "running scripts in the build job"
test:
extends:
- .shared_windows_runners
- .windows_job
stage: test
script:
- echo "running scripts in the test job"

9
doc/development/documentation/styleguide/word_list.md
View File

@ -604,6 +604,10 @@ Instead of:
Do not use **e-mail** with a hyphen. When plural, use **emails** or **email messages**. ([Vale](../testing.md#vale) rule: [`SubstitutionSuggestions.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/SubstitutionSuggestions.yml))
## email address
Use **email address** when referring to addresses used in emails. Do not shorten to **email**, which are messages.
## emoji
Use **emoji** to refer to the plural form of **emoji**.
@ -984,6 +988,11 @@ Thereafter, use **Issue description generation** by itself.
Use lowercase for **issue weights**.
## IP address
Use **IP address** when refering to addresses used with Internet Protocal (IP). Do not refer to an IP address as an
**IP**.
## it
When you use the word **it**, ensure the word it refers to is obvious.

12
doc/development/permissions/custom_roles.md
View File

@ -15,16 +15,16 @@ In this context, the terms "permission" and "ability" are often used interchange
- "Ability" is an action a user can do. These map to [Declarative Policy abilities](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/doc/defining-policies.md#rules) and live in Policy classes in `ee/app/policies/*`.
- "Permission" is how we refer to an ability [in user-facing documentation](../../user/permissions.md). The documentation of permissions is manually generated so there is not necessarily a 1:1 mapping of the permissions listed in documentation and the abilities defined in Policy classes.
## Custom roles vs static roles
## Custom roles vs default roles
In GitLab 15.9 and earlier, GitLab only had [static roles](predefined_roles.md) as a permission system. In this system, there are a few predefined roles that are statically assigned to certain abilities. These static roles are not customizable by customers.
In GitLab 15.9 and earlier, GitLab only had [default roles](predefined_roles.md) as a permission system. In this system, there are a few predefined roles that are statically assigned to certain abilities. These default roles are not customizable by customers.
With custom roles, the customers can decide which abilities they want to assign to certain user groups. For example:
- In the static role system, reading of vulnerabilities is limited to a Developer role.
- In the custom role system, a customer can assign this ability to a new custom role based on any static role.
- In the default role system, reading of vulnerabilities is limited to a Developer role.
- In the custom role system, a customer can assign this ability to a new custom role based on any default role.
Like static roles, custom roles are [inherited](../../user/project/members/index.md#inherited-membership) within a group hierarchy. If a user has custom role for a group, that user will also have a custom role for any projects or subgroups within the group.
Like default roles, custom roles are [inherited](../../user/project/members/index.md#inherited-membership) within a group hierarchy. If a user has custom role for a group, that user will also have a custom role for any projects or subgroups within the group.
## Technical overview
@ -34,7 +34,7 @@ Like static roles, custom roles are [inherited](../../user/project/members/index
- A Group or project membership can be associated with any custom role that is defined on the root-level group of the group or project.
- The `member_roles` table includes individual permissions and a `base_access_level` value.
- The `base_access_level` must be a [valid access level](../../api/access_requests.md#valid-access-levels).
The `base_access_level` determines which abilities are included in the custom role. For example, if the `base_access_level` is `10`, the custom role will include any abilities that a static Guest role would receive, plus any additional abilities that are enabled by the `member_roles` record by setting an attribute, such as `read_code`, to true.
The `base_access_level` determines which abilities are included in the custom role. For example, if the `base_access_level` is `10`, the custom role will include any abilities that a default Guest role would receive, plus any additional abilities that are enabled by the `member_roles` record by setting an attribute, such as `read_code`, to true.
- A custom role can enable additional abilities for a `base_access_level` but it cannot disable a permission. As a result, custom roles are "additive only". The rationale for this choice is [in this comment](https://gitlab.com/gitlab-org/gitlab/-/issues/352891#note_1059561579).
- Custom role abilities are supported at project level and group level.

77
doc/security/index.md
View File

@ -7,27 +7,62 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Secure your installation **(FREE ALL)**
- [Passwords and OAuth tokens storage](password_storage.md)
- [Password length limits](password_length_limits.md)
- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md)
- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md)
- [Rate limits](rate_limits.md)
- [Filtering outbound requests](webhooks.md)
- [Information exclusivity](information_exclusivity.md)
- [Reset user password](reset_user_password.md)
- [Unlock a locked user](unlock_user.md)
- [User File Uploads](user_file_uploads.md)
- [How we manage the CRIME vulnerability](crime_vulnerability.md)
- [Enforce Two-factor authentication](two_factor_authentication.md)
- [Send email confirmation on sign-up](user_email_confirmation.md)
- [Security of running jobs](https://docs.gitlab.com/runner/security/)
- [Proxying images](asset_proxy.md)
- [CI/CD variables](../ci/variables/index.md#cicd-variable-security)
- [Token overview](token_overview.md)
- [Rotate secrets of third-party integrations](rotate_integrations_secrets.md)
- [Maximum decompressed file size for imported archives](../administration/settings/import_and_export_settings.md#maximum-decompressed-file-size-for-imported-archives)
- [Responding to security incidents](responding_to_security_incidents.md)
## General Information
To harden your GitLab instance and minimize the risk of unwanted user account creation, consider access control features like [Sign up restrictions](../administration/settings/sign_up_restrictions.md) and [Authentication options](../administration/auth/index.md). For more detailed information, refer to [Hardening](hardening.md).
This section covers some general information and recommendations regarding the platform.
- [How passwords and OAuth tokens are stored](password_storage.md).
- [How passwords for users created through integrated authentication are generated](passwords_for_integrated_authentication_methods.md).
- [How we manage the CRIME vulnerability](crime_vulnerability.md).
- [Secrets for third-party integrations should be rotated regularly](rotate_integrations_secrets.md).
## Recommendations
The [Hardening Guide](hardening.md) contains additional general recommendations that can be implemented for hardening an install.
### User Accounts
- [Review authentication options](../administration/auth/index.md).
- [Configure password length limits](password_length_limits.md).
- [Restrict SSH key technologies and require minimum key lengths](ssh_keys_restrictions.md).
- [Restrict account creation with sign up restrictions](../administration/settings/sign_up_restrictions.md).
- [Send email confirmation on sign-up](user_email_confirmation.md)
- [Enforce two-factor authentication](two_factor_authentication.md) to require users to [enable two-factor authentication](../user/profile/account/two_factor_authentication.md).
- [Restrict logins from multiple IPs](../administration/reporting/ip_addr_restrictions.md).
- [How to reset a user password](reset_user_password.md).
- [How to unlock a locked user](unlock_user.md).
### Data Access
- [Information exclusivity](information_exclusivity.md).
- [Protecting and removing user file uploads](user_file_uploads.md).
- [Proxying linked images for user privacy](asset_proxy.md).
### Platform Usage & Settings
- [Review GitLab token type and usages](token_overview.md).
- [How to configure rate limits improve security and availability](rate_limits.md).
- [How to filter outbound webhook requests](webhooks.md).
- [How to configure import and export limits and timeouts](../administration/settings/import_and_export_settings.md).
- [Review Runner security considerations and recommendations](https://docs.gitlab.com/runner/security/).
- [Review CI/CD variables security considerations](../ci/variables/index.md#cicd-variable-security).
- [Review pipeline security for usage and protection of secrets in CI/CD Pipelines](../ci/pipelines/pipeline_security.md).
### Patching
Self-managed GitLab customers and administrators are responsible for the security of their underlying hosts, and for keeping GitLab itself up to date. It is important to [regularly patch GitLab](../policy/maintenance.md), patch your operating system and its software, and harden your hosts in accordance with vendor guidance.
## Monitoring
### Logs
- [Review the log types and contents produced by GitLab](../administration/logs/index.md).
- [Review Runner job logs information](../administration/job_logs.md).
- [How to use correlation ID to trace logs](../administration/logs/tracing_correlation_id.md).
- [Logging configuration and access](https://docs.gitlab.com/omnibus/settings/logs.html).
- [How to configure Audit Event Streaming](../administration/audit_event_streaming/index.md).
- [Providing assistance to GitLab.com customers during customer-based security incidents](https://handbook.gitlab.com/handbook/security/customer-requests/#conditions-and-requirements).
## Response
- [Responding to security incidents](responding_to_security_incidents.md).

5
doc/user/permissions.md
View File

@ -16,10 +16,11 @@ GitLab [administrators](../administration/index.md) have all permissions.
## Roles
The available roles are:
You can assign users a default role or a [custom role](custom_roles.md).
The available default roles are:
- Guest (This role applies to [private and internal projects](../user/public_access.md) only.)
- [Custom](custom_roles.md)
- Reporter
- Developer
- Maintainer

3
doc/user/project/repository/branches/index.md
View File

@ -121,6 +121,9 @@ To view and manage your branches in the GitLab user interface:
On this page, you can:
- See all branches, or filter to see only active or stale branches.
A branch is considered active if a commit has been made to it in the last three months.
Otherwise it is considered stale.
- Create new branches.
- [Compare branches](#compare-branches).
- Delete merged branches.

27
lib/backup/manager.rb
View File

@ -264,9 +264,17 @@ module Backup
def build_backup_information
return if @metadata.backup_information
backup_created_at = Time.current
backup_id = if options.backup_id.present?
File.basename(options.backup_id)
else
"#{backup_created_at.strftime('%s_%Y_%m_%d_')}#{Gitlab::VERSION}"
end
@metadata.update(
backup_id: backup_id,
db_version: ActiveRecord::Migrator.current_version.to_s,
backup_created_at: Time.current,
backup_created_at: backup_created_at,
gitlab_version: Gitlab::VERSION,
tar_version: tar_version,
installation_type: Gitlab::INSTALLATION_TYPE,
@ -279,10 +287,18 @@ module Backup
end
def update_backup_information
backup_created_at = Time.current
backup_id = if options.backup_id.present?
File.basename(options.backup_id)
else
"#{backup_created_at.strftime('%s_%Y_%m_%d_')}#{Gitlab::VERSION}"
end
@metadata.update(
backup_id: backup_id,
full_backup_id: full_backup_id,
db_version: ActiveRecord::Migrator.current_version.to_s,
backup_created_at: Time.current,
backup_created_at: backup_created_at,
gitlab_version: Gitlab::VERSION,
tar_version: tar_version,
installation_type: Gitlab::INSTALLATION_TYPE,
@ -511,7 +527,12 @@ module Backup
end
def backup_id
if options.backup_id.present?
# Eventually the backup ID should only be fetched from
# backup_information, but we must have a fallback so that older backups
# can still be used.
if backup_information[:backup_id].present?
backup_information[:backup_id]
elsif options.backup_id.present?
File.basename(options.backup_id)
else
"#{backup_information[:backup_created_at].strftime('%s_%Y_%m_%d_')}#{backup_information[:gitlab_version]}"

1
lib/backup/metadata.rb
View File

@ -28,6 +28,7 @@ module Backup
:repositories_paths, # ENV['REPOSITORIES_PATHS'],
:skip_repositories_paths, # ENV['SKIP_REPOSITORIES_PATHS'],
:repositories_server_side, # Gitlab::Utils.to_boolean(ENV['REPOSITORIES_SERVER_SIDE'], default: false)
:backup_id, # ENV['BACKUP'] or calculated based on backup_created_at and Gitlab::VERSION
:full_backup_id, # full_backup_id,
keyword_init: true
)

2
lib/gitlab/pagination/keyset/order.rb
View File

@ -103,6 +103,8 @@ module Gitlab
nil
elsif lower_named_function?(column_definition)
field_value.downcase
elsif field_value.is_a?(Array)
field_value
else
field_value.to_s
end

3
locale/gitlab.pot
View File

@ -15597,6 +15597,9 @@ msgstr ""
msgid "DORA4Metrics|This is a lower-bound approximation. Your group has too many issues and MRs to calculate in real time."
msgstr ""
msgid "DORA4Metrics|This visualization is not supported for project namespaces."
msgstr ""
msgid "DORA4Metrics|Time to Restore Service"
msgstr ""

10
qa/Rakefile
View File

@ -5,8 +5,9 @@ require_relative "qa"
Dir['tasks/*.rake'].each { |file| load file }
desc "Deletes subgroups within a provided group"
task :delete_subgroups do
QA::Tools::DeleteSubgroups.new.run
task :delete_subgroups, [:delete_before] do |_, args|
args.with_defaults(delete_before: (Date.today - 3).to_s)
QA::Tools::DeleteSubgroups.new(delete_before: args[:delete_before]).run
end
desc "Initialize GitLab with an access token"
@ -50,8 +51,9 @@ task :delete_test_ssh_keys, [:title_portion, :delete_before, :dry_run] do |_, ar
end
desc "Deletes projects directly under the provided group"
task :delete_projects do
QA::Tools::DeleteProjects.new.run
task :delete_projects, [:delete_before] do |_, args|
args.with_defaults(delete_before: (Date.today - 3).to_s)
QA::Tools::DeleteProjects.new(delete_before: args[:delete_before]).run
end
desc "Deletes test users"

15
qa/qa/tools/delete_projects.rb
View File

@ -16,16 +16,18 @@ module QA
include Support::API
include Lib::Project
include Lib::Group
include Ci::Helpers
def initialize
def initialize(delete_before: (Date.today - 3).to_s)
raise ArgumentError, "Please provide GITLAB_ADDRESS environment variable" unless ENV['GITLAB_ADDRESS']
raise ArgumentError, "Please provide GITLAB_QA_ACCESS_TOKEN environment variable" unless ENV['GITLAB_QA_ACCESS_TOKEN']
@api_client = Runtime::API::Client.new(ENV['GITLAB_ADDRESS'], personal_access_token: ENV['GITLAB_QA_ACCESS_TOKEN'])
@delete_before = Date.parse(delete_before)
end
def run
$stdout.puts 'Running...'
logger.info("Running...")
# Fetch group's id
if ENV['CLEANUP_ALL_QA_SANDBOX_GROUPS']
@ -43,14 +45,17 @@ module QA
private
def delete_selected_projects(group_id)
return unless group_id
logger.info("Fetching projects...")
projects_head_response = head Runtime::API::Request.new(@api_client, "/groups/#{group_id}/projects", per_page: "100").url
total_project_pages = projects_head_response.headers[:x_total_pages]
project_ids = fetch_project_ids(group_id, total_project_pages)
$stdout.puts "Number of projects to be deleted: #{project_ids.length}"
logger.info("Number of projects to be deleted: #{project_ids.length}")
delete_projects(project_ids, @api_client) unless project_ids.empty?
$stdout.puts "\nDone"
logger.info("\nDone")
end
def fetch_project_ids(group_id, total_project_pages)
@ -59,7 +64,7 @@ module QA
total_project_pages.to_i.times do |page_no|
projects_response = get Runtime::API::Request.new(@api_client, "/groups/#{group_id}/projects", page: (page_no + 1).to_s, per_page: "100").url
# Do not delete projects that are less than 4 days old (for debugging purposes)
projects_ids.concat(JSON.parse(projects_response.body).select { |project| Date.parse(project["created_at"]) < Date.today - 3 }.pluck("id"))
projects_ids.concat(parse_body(projects_response).select { |project| Date.parse(project[:created_at]) < @delete_before }.pluck(:id))
end
projects_ids.uniq

26
qa/qa/tools/delete_subgroups.rb
View File

@ -23,12 +23,13 @@ module QA
include Ci::Helpers
include Lib::Group
def initialize
def initialize(delete_before: (Date.today - 3).to_s)
raise ArgumentError, "Please provide GITLAB_ADDRESS" unless ENV['GITLAB_ADDRESS']
raise ArgumentError, "Please provide GITLAB_QA_ACCESS_TOKEN" unless ENV['GITLAB_QA_ACCESS_TOKEN']
@api_client = Runtime::API::Client.new(ENV['GITLAB_ADDRESS'], personal_access_token: ENV['GITLAB_QA_ACCESS_TOKEN'])
@failed_deletion_attempts = []
@delete_before = Date.parse(delete_before)
end
def run
@ -47,7 +48,7 @@ module QA
private
def delete_subgroups(group_id)
return logger.info('Top level group not found') if group_id.nil?
return unless group_id
subgroups = fetch_subgroups(group_id)
return logger.info('No subgroups available') if subgroups.empty?
@ -72,8 +73,13 @@ module QA
while page_no.present?
subgroups_response = get Runtime::API::Request.new(@api_client, api_path, page: page_no, per_page: '100').url
# Do not delete subgroups that are less than 4 days old (for debugging purposes)
subgroups.concat(JSON.parse(subgroups_response.body).select { |subgroup| Date.parse(subgroup["created_at"]) < Date.today - 3 })
if subgroups_response.code == HTTP_STATUS_OK
# Do not delete subgroups that are less than 4 days old (for debugging purposes)
subgroups.concat(parse_body(subgroups_response).select { |subgroup| Date.parse(subgroup[:created_at]) < @delete_before })
else
logger.error("Request for subgroups returned (#{subgroups_response.code}): `#{subgroups_response}` ")
end
page_no = subgroups_response.headers[:x_next_page].to_s
end
@ -82,7 +88,7 @@ module QA
end
def subgroup_request(subgroup, **options)
Runtime::API::Request.new(@api_client, "/groups/#{subgroup['id']}", **options).url
Runtime::API::Request.new(@api_client, "/groups/#{subgroup[:id]}", **options).url
end
def process_response_and_subgroup(response, subgroup, opts = {})
@ -91,7 +97,7 @@ module QA
opts[:save_successes_to] << subgroup if opts[:save_successes_to]
else
logger.error("Failed - #{response}\n")
@failed_deletion_attempts << { path: subgroup['full_path'], response: response }
@failed_deletion_attempts << { path: subgroup[:full_path], response: response }
end
end
@ -101,9 +107,9 @@ module QA
logger.info("Marking #{subgroups.length} subgroups for deletion...\n")
subgroups.each do |subgroup|
path = subgroup['full_path']
path = subgroup[:full_path]
if subgroup['marked_for_deletion_on'].nil?
if subgroup[:marked_for_deletion_on].nil?
logger.info("Marking subgroup #{path} for deletion...")
response = delete(subgroup_request(subgroup))
@ -121,7 +127,7 @@ module QA
response = get(subgroup_request(subgroup))
if response.code == 404
logger.info("Subgroup #{subgroup['full_path']} is no longer available\n")
logger.info("Subgroup #{subgroup[:full_path]} is no longer available\n")
false
else
true
@ -132,7 +138,7 @@ module QA
logger.info("Permanently deleting #{subgroups.length} subgroups...\n")
subgroups.each do |subgroup|
path = subgroup['full_path']
path = subgroup[:full_path]
next unless subgroup_exists?(subgroup)

14
qa/qa/tools/delete_user_projects.rb
View File

@ -94,9 +94,9 @@ module QA
total_project_pages.to_i.times do |page_no|
projects_response = get Runtime::API::Request.new(@api_client, "/users/#{user_id}/projects",
page: (page_no + 1).to_s, per_page: "100").url
projects_ids.concat(JSON.parse(projects_response.body)
.select { |project| Date.parse(project["created_at"]) < @delete_before }
.map { |project| project["id"] })
projects_ids.concat(parse_body(projects_response)
.select { |project| Date.parse(project[:created_at]) < @delete_before }
.map { |project| project[:id] })
rescue StandardError => e
logger.error("Failed to fetch projects for user #{user_id}: #{e.message}")
end
@ -123,14 +123,14 @@ module QA
next
end
parsed_response = JSON.parse(user_response.body)
parsed_response = parse_body(user_response)
if parsed_response.empty?
logger.error("User #{qa_username} not found")
next
end
user_ids << parsed_response.first["id"]
user_ids << parsed_response.first[:id]
rescue StandardError => e
logger.error("Failed to fetch user ID for #{qa_username}: #{e.message}")
end
@ -140,8 +140,8 @@ module QA
def fetch_qa_username(user_id)
response = get Runtime::API::Request.new(@api_client, "/users/#{user_id}").url
parsed_response = JSON.parse(response.body)
parsed_response["username"]
parsed_response = parse_body(response)
parsed_response[:username]
end
def set_api_client(token)

6
qa/qa/tools/lib/group.rb
View File

@ -11,8 +11,12 @@ module QA
ENV['TOP_LEVEL_GROUP_NAME'] || "gitlab-qa-sandbox-group-#{Time.now.wday + 1}"
end
logger.info("Fetching group #{group_name}...")
group_search_response = get Runtime::API::Request.new(api_client, "/groups/#{group_name}").url
JSON.parse(group_search_response.body)["id"]
group = parse_body(group_search_response)
group[:id].nil? ? logger.warn("Top level group #{group_name} not found") : group[:id]
end
end
end

26
spec/dot_gitlab_ci/rules_spec.rb Normal file
View File

@ -0,0 +1,26 @@
# frozen_string_literal: true
require 'fast_spec_helper'
RSpec.describe '.gitlab/ci/rules.gitlab-ci.yml', feature_category: :tooling do
config = YAML.load_file(
File.expand_path('../../.gitlab/ci/rules.gitlab-ci.yml', __dir__),
aliases: true
).freeze
context 'with changes' do
config.each do |name, definition|
next unless definition.is_a?(Hash) && definition['rules']
definition['rules'].each do |rule|
next unless rule.is_a?(Hash) && rule['changes']
# See this for why we want to always have if
# https://docs.gitlab.com/ee/development/pipelines/internals.html#avoid-force_gitlab_ci
it "#{name} has corresponding if" do
expect(rule).to include('if')
end
end
end
end
end

5
spec/features/projects/branches/new_branch_ref_dropdown_spec.rb
View File

@ -69,6 +69,11 @@ RSpec.describe 'New Branch Ref Dropdown', :js, feature_category: :source_code_ma
expect(toggle).not_to have_content(non_existing_ref)
end
it 'passes accessibility tests' do
click_button 'master'
expect(page).to be_axe_clean.within('.ref-selector')
end
def item(ref_name)
find('li', text: ref_name, match: :prefer_exact)
end

23
spec/lib/backup/manager_spec.rb
View File

@ -608,6 +608,7 @@ RSpec.describe Backup::Manager, feature_category: :backup_restore do
expect(Kernel).not_to have_received(:system).with(*pack_tar_cmdline)
expect(subject.send(:backup_information).to_h).to include(
backup_id: backup_id,
backup_created_at: backup_time.localtime,
db_version: be_a(String),
gitlab_version: Gitlab::VERSION,
@ -1035,6 +1036,28 @@ RSpec.describe Backup::Manager, feature_category: :backup_restore do
expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'tmp'))
end
context 'backup information mismatches' do
let(:backup_id) { 'pineapple' }
let(:backup_information) do
{
backup_id: backup_id,
backup_created_at: Time.zone.parse('2019-01-01'),
gitlab_version: gitlab_version
}
end
it 'unpacks the BACKUP specified file but uses the backup information backup ID' do
expect(task1).to receive(:restore).with(File.join(Gitlab.config.backup.path, 'lfs.tar.gz'), backup_id)
expect(task2).to receive(:restore).with(File.join(Gitlab.config.backup.path, 'pages.tar.gz'), backup_id)
subject.restore
expect(Kernel).to have_received(:system).with(*tar_cmdline)
expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'backup_information.yml'))
expect(FileUtils).to have_received(:rm_rf).with(File.join(Gitlab.config.backup.path, 'tmp'))
end
end
context 'tar fails' do
before do
expect(Kernel).to receive(:system).with(*tar_cmdline).and_return(false)

28
spec/lib/gitlab/pagination/keyset/order_spec.rb
View File

@ -635,6 +635,34 @@ RSpec.describe Gitlab::Pagination::Keyset::Order do
end
end
end
context 'when the cursor attribute is an array' do
let(:model) { Group.new(traversal_ids: [1, 2]) }
let(:scope) { Group.order(traversal_ids: :asc) }
let(:order) do
described_class.build(
[
Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(
attribute_name: 'traversal_ids',
order_expression: Group.arel_table['traversal_ids'].asc,
nullable: :not_nullable,
distinct: true
)
])
end
describe '#cursor_attributes_for_node' do
subject { order.cursor_attributes_for_node(model) }
it { is_expected.to eq({ traversal_ids: [1, 2] }.with_indifferent_access) }
end
describe '#apply_cursor_conditions' do
subject(:sql) { order.apply_cursor_conditions(scope, { 'traversal_ids' => [1, 2] }).to_sql }
it { is_expected.to include('"namespaces"."traversal_ids" > \'{1,2}\')') }
end
end
end
end

4
spec/models/ci/catalog/resource_spec.rb
View File

@ -227,7 +227,7 @@ RSpec.describe Ci::Catalog::Resource, feature_category: :pipeline_composition do
end
end
describe 'synchronizing denormalized columns with `projects` table', :sidekiq_inline do
describe 'synchronizing denormalized columns with `projects` table using SyncEvents processing', :sidekiq_inline do
let_it_be_with_reload(:project) { create(:project, name: 'Test project', description: 'Test description') }
context 'when the catalog resource is created' do
@ -272,7 +272,7 @@ RSpec.describe Ci::Catalog::Resource, feature_category: :pipeline_composition do
end
end
describe '#update_latest_released_at! triggered in model callbacks' do
describe 'updating latest_released_at using model callbacks' do
let_it_be(:project) { create(:project) }
let_it_be(:resource) { create(:ci_catalog_resource, project: project) }

48
spec/models/ci/catalog/resources/version_spec.rb
View File

@ -119,29 +119,6 @@ RSpec.describe Ci::Catalog::Resources::Version, type: :model, feature_category:
end
end
describe '#update_catalog_resource' do
let_it_be(:release) { create(:release, project: project1, tag: 'v1') }
let(:version) { build(:ci_catalog_resource_version, catalog_resource: resource1, release: release) }
context 'when a version is created' do
it 'calls update_catalog_resource' do
expect(version).to receive(:update_catalog_resource).once
version.save!
end
end
context 'when a version is destroyed' do
it 'calls update_catalog_resource' do
version.save!
expect(version).to receive(:update_catalog_resource).once
version.destroy!
end
end
end
describe '#name' do
it 'is equivalent to release.tag' do
v1_0.release.update!(name: 'Release v1.0')
@ -172,4 +149,29 @@ RSpec.describe Ci::Catalog::Resources::Version, type: :model, feature_category:
expect(v1_1.readme.data).to include('Readme v1.1')
end
end
describe 'synchronizing released_at with `releases` table using model callbacks' do
let_it_be(:project) { create(:project) }
let_it_be(:resource) { create(:ci_catalog_resource, project: project) }
let_it_be_with_reload(:release) do
create(:release, :with_catalog_resource_version, project: project, tag: 'v1', released_at: '2023-01-01T00:00:00Z')
end
let(:version) { release.catalog_resource_version }
context 'when the version is created' do
it 'updates released_at to match the release' do
expect(version.read_attribute(:released_at)).to eq(release.released_at)
end
end
context 'when release.released_at is updated' do
it 'updates released_at to match the release' do
release.update!(released_at: '2023-02-02T00:00:00Z')
expect(version.read_attribute(:released_at)).to eq(release.released_at)
end
end
end
end

63
spec/models/release_spec.rb
View File

@ -104,42 +104,6 @@ RSpec.describe Release, feature_category: :release_orchestration do
end
end
describe '#update_catalog_resource' do
let_it_be(:project) { create(:project) }
let_it_be_with_refind(:release) { create(:release, project: project, author: user) }
context 'when the project is a catalog resource' do
before_all do
create(:ci_catalog_resource, project: project)
end
context 'when released_at is updated' do
it 'calls update_catalog_resource' do
expect(release).to receive(:update_catalog_resource).once
release.update!(released_at: release.released_at + 1.day)
end
end
context 'when the release is destroyed' do
it 'calls update_catalog_resource' do
expect(release).to receive(:update_catalog_resource).once
release.destroy!
end
end
end
context 'when the project is not a catalog resource' do
it 'does not call update_catalog_resource' do
expect(release).not_to receive(:update_catalog_resource)
release.update!(released_at: release.released_at + 1.day)
release.destroy!
end
end
end
describe 'tagged' do
# We only test for empty string since there's a not null constraint at the database level
it 'does not return the tagless release' do
@ -402,4 +366,31 @@ RSpec.describe Release, feature_category: :release_orchestration do
it { expect(release.milestone_titles).to eq("#{milestone_1.title}, #{milestone_2.title}") }
end
describe 'updating catalog resource version' do
let_it_be(:project) { create(:project) }
let_it_be(:resource) { create(:ci_catalog_resource, project: project) }
let_it_be_with_reload(:release) do
create(:release, :with_catalog_resource_version, project: project, tag: 'v1', released_at: '2023-01-01T00:00:00Z')
end
let(:version) { release.catalog_resource_version }
context 'when released_at has changed' do
it 'calls sync_with_release! on the catalog resource version' do
expect(version).to receive(:sync_with_release!).once
release.update!(released_at: '2023-02-02T00:00:00Z')
end
end
context 'when released_at has not changed' do
it 'does not call sync_with_release! on the catalog resource version' do
expect(version).not_to receive(:sync_with_release!)
release.update!(released_at: '2023-01-01T00:00:00Z')
end
end
end
end

4
spec/tooling/quality/test_level_spec.rb
View File

@ -46,7 +46,7 @@ RSpec.describe Quality::TestLevel, feature_category: :tooling do
context 'when level is unit' do
it 'returns a pattern' do
expect(subject.pattern(:unit))
.to eq("spec/{bin,channels,components,config,contracts,db,dependencies,elastic,elastic_integration,experiments,factories,finders,frontend,graphql,haml_lint,helpers,initializers,keeps,lib,metrics_server,models,policies,presenters,rack_servers,replicators,routing,rubocop,scripts,serializers,services,sidekiq,sidekiq_cluster,spam,support_specs,tasks,uploaders,validators,views,workers,tooling}{,/**/}*_spec.rb")
.to eq("spec/{bin,channels,components,config,contracts,db,dependencies,elastic,elastic_integration,experiments,factories,finders,frontend,graphql,haml_lint,helpers,initializers,keeps,lib,metrics_server,models,policies,presenters,rack_servers,replicators,routing,rubocop,scripts,serializers,services,sidekiq,sidekiq_cluster,spam,support_specs,tasks,uploaders,validators,views,workers,tooling,dot_gitlab_ci}{,/**/}*_spec.rb")
end
end
@ -121,7 +121,7 @@ RSpec.describe Quality::TestLevel, feature_category: :tooling do
context 'when level is unit' do
it 'returns a regexp' do
expect(subject.regexp(:unit))
.to eq(%r{spec/(bin|channels|components|config|contracts|db|dependencies|elastic|elastic_integration|experiments|factories|finders|frontend|graphql|haml_lint|helpers|initializers|keeps|lib|metrics_server|models|policies|presenters|rack_servers|replicators|routing|rubocop|scripts|serializers|services|sidekiq|sidekiq_cluster|spam|support_specs|tasks|uploaders|validators|views|workers|tooling)/})
.to eq(%r{spec/(bin|channels|components|config|contracts|db|dependencies|elastic|elastic_integration|experiments|factories|finders|frontend|graphql|haml_lint|helpers|initializers|keeps|lib|metrics_server|models|policies|presenters|rack_servers|replicators|routing|rubocop|scripts|serializers|services|sidekiq|sidekiq_cluster|spam|support_specs|tasks|uploaders|validators|views|workers|tooling|dot_gitlab_ci)/})
end
end

1
spec/views/devise/shared/_signup_box.html.haml_spec.rb
View File

@ -26,6 +26,7 @@ RSpec.describe 'devise/shared/_signup_box' do
allow(view).to receive(:terms_path).and_return(terms_path)
allow(view).to receive(:button_text).and_return(button_text)
allow(view).to receive(:signup_username_data_attributes).and_return({})
allow(view).to receive(:tracking_label).and_return('')
stub_template 'devise/shared/_error_messages.html.haml' => ''
end

4
tests.yml
View File

@ -37,6 +37,10 @@ mapping:
- source: 'rubocop/(.+)\.rb'
test: 'spec/rubocop/%s_spec.rb'
# .gitlab/ci related specs
- source: '.gitlab/ci/(.+)\.gitlab-ci\.yml'
test: 'spec/dot_gitlab_ci/%s_spec.rb'
# Initializers should map to respective spec
- source: 'config/initializers/(.+)\.rb'
test: 'spec/initializers/%s_spec.rb'

3
tooling/quality/test_level.rb
View File

@ -56,7 +56,8 @@ module Quality
views
workers
tooling
],
dot_gitlab_ci
], # ^ tooling and dot_gitlab_ci might be worth to move to another level
integration: %w[
commands
controllers

4
workhorse/cmd/gitlab-zip-metadata/main.go
View File

@ -26,7 +26,7 @@ func main() {
os.Exit(0)
}
if len(os.Args) != 2 {
if len(flag.Args()) != 1 {
fmt.Fprintf(os.Stderr, "Usage: %s FILE.ZIP\n", progName)
os.Exit(1)
}
@ -44,7 +44,7 @@ func main() {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
archive, err := zipartifacts.OpenArchiveWithReaderFunc(ctx, os.Args[1], readerFunc)
archive, err := zipartifacts.OpenArchiveWithReaderFunc(ctx, flag.Args()[0], readerFunc)
if err != nil {
fatalError(err)
}

8
workhorse/internal/config/config.go
View File

@ -156,8 +156,14 @@ var DefaultImageResizerConfig = ImageResizerConfig{
MaxFilesize: 250 * 1000, // 250kB,
}
func NewDefaultConfig() *Config {
return &Config{
ImageResizerConfig: DefaultImageResizerConfig,
}
}
func LoadConfig(data string) (*Config, error) {
cfg := &Config{ImageResizerConfig: DefaultImageResizerConfig}
cfg := NewDefaultConfig()
if _, err := toml.Decode(data, cfg); err != nil {
return nil, err

6
workhorse/internal/config/config_test.go
View File

@ -190,3 +190,9 @@ alt_document_root = "/path/to/documents"
require.Equal(t, "/path/to/documents", cfg.AltDocumentRoot)
}
func TestDefaultConfig(t *testing.T) {
cfg := NewDefaultConfig()
require.Equal(t, uint64(250000), cfg.ImageResizerConfig.MaxFilesize)
}

3
workhorse/main.go
View File

@ -72,7 +72,8 @@ type alreadyPrintedError struct{ error }
// of type alreadyPrintedError it has already been printed.
func buildConfig(arg0 string, args []string) (*bootConfig, *config.Config, error) {
boot := &bootConfig{}
cfg := &config.Config{Version: Version}
cfg := config.NewDefaultConfig()
cfg.Version = Version
fset := flag.NewFlagSet(arg0, flag.ContinueOnError)
fset.Usage = func() {
fmt.Fprintf(fset.Output(), "Usage of %s:\n", arg0)

12
workhorse/main_test.go
View File

@ -772,12 +772,12 @@ func testAuthServer(t *testing.T, url *regexp.Regexp, params url.Values, code in
}
func newUpstreamConfig(authBackend string) *config.Config {
return &config.Config{
Version: "123",
DocumentRoot: testDocumentRoot,
Backend: helper.URLMustParse(authBackend),
ImageResizerConfig: config.DefaultImageResizerConfig,
}
defaultConfig := config.NewDefaultConfig()
defaultConfig.Version = "123"
defaultConfig.DocumentRoot = testDocumentRoot
defaultConfig.Backend = helper.URLMustParse(authBackend)
return defaultConfig
}
func startWorkhorseServer(authBackend string) *httptest.Server {