root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2025-05-27 21:11:53 +00:00
parent d4e9ba0deb
commit ddcfba97da
84 changed files with 1413 additions and 753 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.rubocop.yml
View File

@ -496,6 +496,22 @@ GitlabSecurity/PublicSend:
- 'ee/lib/**/*.rake'
- 'ee/spec/**/*'
Gitlab/DeprecatedAuditEventService:
Enabled: true
Exclude:
- 'ee/app/services/ee/audit_event_service.rb'
- 'ee/app/services/ee/applications/create_service.rb'
- 'ee/app/services/audit_events/release_audit_event_service.rb'
- 'ee/app/services/ee/keys/create_service.rb'
- 'ee/app/services/ee/users/migrate_records_to_ghost_user_service.rb'
- 'ee/spec/features/admin/admin_audit_logs_spec.rb'
- 'ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb'
- 'ee/spec/services/audit_event_service_spec.rb'
- 'ee/lib/gitlab/auth/group_saml/membership_updater.rb'
- 'app/controllers/sessions_controller.rb'
- 'app/services/audit_event_service.rb'
- 'spec/services/audit_event_service_spec.rb'
Database/MultipleDatabases:
Enabled: true
Exclude:

1
app/assets/javascripts/super_sidebar/components/global_search/command_palette/constants.js
View File

@ -78,3 +78,4 @@ export const FREQUENTLY_VISITED_GROUPS_HANDLE = 'FREQUENTLY_VISITED_GROUPS_HANDL
export const GROUPS_GROUP_HANDLE = 'Groups';
export const PROJECTS_GROUP_HANDLE = 'Projects';
export const USER_CATEGORY_VALUE = 'Users';

16
app/assets/javascripts/super_sidebar/components/global_search/command_palette/search_item.vue
View File

@ -2,7 +2,8 @@
import { GlAvatar, GlIcon } from '@gitlab/ui';
import SafeHtml from '~/vue_shared/directives/safe_html';
import highlight from '~/lib/utils/highlight';
import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
import { AVATAR_SHAPE_OPTION_RECT, AVATAR_SHAPE_OPTION_CIRCLE } from '~/vue_shared/constants';
import { USER_CATEGORY_VALUE } from './constants';
export default {
name: 'CommandPaletteSearchItem',
@ -27,8 +28,14 @@ export default {
highlightedName() {
return highlight(this.item.text, this.searchQuery);
},
avatarShape() {
return this.item.category === USER_CATEGORY_VALUE
? this.$options.AVATAR_SHAPE_OPTION_CIRCLE
: this.$options.AVATAR_SHAPE_OPTION_RECT;
},
},
AVATAR_SHAPE_OPTION_RECT,
AVATAR_SHAPE_OPTION_CIRCLE,
};
</script>
@ -40,13 +47,14 @@ export default {
:src="item.avatar_url"
:entity-id="item.entity_id"
:entity-name="item.entity_name"
:size="item.avatar_size"
:shape="$options.AVATAR_SHAPE_OPTION_RECT"
:size="16"
:shape="avatarShape"
aria-hidden="true"
/>
<gl-icon v-if="item.icon" class="gl-mr-3 gl-shrink-0" :name="item.icon" />
<span class="gl-flex gl-w-full gl-min-w-0 gl-flex-col">
<span class="gl-flex gl-min-w-0 gl-items-center gl-gap-2">
<span v-safe-html="highlightedName" class="gl-truncate gl-text-strong"></span>
<span class="gl-text-subtle" aria-hidden="true">·</span>
<span
v-if="item.namespace"
v-safe-html="item.namespace"

7
app/assets/javascripts/super_sidebar/components/global_search/components/frequent_item.vue
View File

@ -27,12 +27,13 @@ export default {
:project-id="item.id"
:project-name="item.title"
:project-avatar-url="item.avatar"
:size="32"
:size="16"
aria-hidden="true"
/>
<div class="gl-grow gl-truncate">
{{ item.title }}
<div class="gl-flex gl-flex-row gl-items-center gl-gap-2 gl-truncate">
<span class="gl-truncate"> {{ item.title }} </span>
<span class="gl-text-subtle" aria-hidden="true">·</span>
<div
v-if="item.subtitle"
data-testid="subtitle"

7
app/assets/javascripts/super_sidebar/components/global_search/components/frequent_item_skeleton.vue
View File

@ -9,9 +9,8 @@ export default {
</script>
<template>
<gl-skeleton-loader :width="737" :height="48">
<rect width="24" height="24" y="12" x="8" />
<rect width="120" height="12" y="10" x="36" />
<rect width="100" height="12" y="26" x="36" />
<gl-skeleton-loader :width="737" :height="40">
<rect width="20" height="20" y="12" x="8" :rx="4" />
<rect width="30%" height="12" y="16" x="40" :rx="4" />
</gl-skeleton-loader>
</template>

5
app/assets/javascripts/super_sidebar/components/global_search/components/frequent_items.vue
View File

@ -1,6 +1,5 @@
<script>
import { GlDisclosureDropdownGroup, GlDisclosureDropdownItem, GlIcon } from '@gitlab/ui';
import { truncateNamespace } from '~/lib/utils/text_utility';
import { joinPaths } from '~/lib/utils/url_utility';
import { TRACKING_UNKNOWN_PANEL } from '~/super_sidebar/constants';
import { TRACKING_CLICK_COMMAND_PALETTE_ITEM, OVERLAY_GOTO } from '../command_palette/constants';
@ -77,7 +76,7 @@ export default {
forRenderer: {
id: item.id,
title: item.name,
subtitle: truncateNamespace(item.namespace),
subtitle: item.namespace,
avatar: item.avatarUrl,
},
}));
@ -121,7 +120,7 @@ export default {
<gl-disclosure-dropdown-item key="all" :item="viewAllItem" class="show-focus-layover">
<template #list-item>
<search-result-focus-layover :text-message="$options.i18n.OVERLAY_GOTO">
<gl-icon :name="viewAllItemsIcon" class="!gl-w-6" />
<gl-icon :name="viewAllItemsIcon" class="!gl-w-5 gl-text-subtle" />
{{ viewAllItemsText }}
</search-result-focus-layover>
</template>

18
app/assets/javascripts/super_sidebar/components/global_search/components/global_search_autocomplete_items.vue
View File

@ -12,7 +12,7 @@ import { s__ } from '~/locale';
import { InternalEvents } from '~/tracking';
import SafeHtml from '~/vue_shared/directives/safe_html';
import highlight from '~/lib/utils/highlight';
import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
import { AVATAR_SHAPE_OPTION_RECT, AVATAR_SHAPE_OPTION_CIRCLE } from '~/vue_shared/constants';
import {
AUTOCOMPLETE_ERROR_MESSAGE,
NO_SEARCH_RESULTS,
@ -76,6 +76,8 @@ export default {
directives: {
SafeHtml,
},
AVATAR_SHAPE_OPTION_RECT,
AVATAR_SHAPE_OPTION_CIRCLE,
mixins: [trackingMixin],
computed: {
...mapState(['search', 'loading', 'autocompleteError']),
@ -174,7 +176,6 @@ export default {
return groupName;
},
},
AVATAR_SHAPE_OPTION_RECT,
};
</script>
@ -211,16 +212,23 @@ export default {
:src="item.avatar_url"
:entity-id="item.entity_id"
:entity-name="item.entity_name"
:size="item.avatar_size"
:shape="$options.AVATAR_SHAPE_OPTION_RECT"
:size="16"
:shape="
group.name === $options.i18n.USERS_GROUP_TITLE
? $options.AVATAR_SHAPE_OPTION_CIRCLE
: $options.AVATAR_SHAPE_OPTION_RECT
"
aria-hidden="true"
/>
<span class="gl-flex gl-min-w-0 gl-grow gl-flex-col">
<span class="gl-flex gl-flex-row gl-items-center gl-gap-2 gl-truncate">
<span
v-safe-html="highlightedName(item.text)"
class="gl-truncate gl-text-strong"
data-testid="autocomplete-item-name"
></span>
<span v-if="item.avatar_url !== undefined" class="gl-text-subtle" aria-hidden="true"
>·</span
>
<span
v-if="item.value"
v-safe-html="item.namespace"

5
app/assets/javascripts/super_sidebar/components/global_search/components/global_search_scoped_items.vue
View File

@ -99,10 +99,7 @@ export default {
>
<template #list-item>
<search-result-focus-layover :text-message="$options.i18n.OVERLAY_SEARCH">
<gl-icon
name="search-results"
class="-gl-mt-2 gl-mr-2 gl-shrink-0 gl-pt-2 gl-text-subtle"
/>
<gl-icon name="search-results" class="gl-mr-2 gl-shrink-0 gl-text-subtle" />
<span class="gl-grow">
{{ item.scopeName }}
</span>

1
app/controllers/projects_controller.rb
View File

@ -549,6 +549,7 @@ class ProjectsController < Projects::ApplicationController
:template_project_id,
:merge_method,
:initialize_with_sast,
:initialize_with_secret_detection,
:initialize_with_readme,
:ci_separated_caches,
:suggestion_commit_message,

3
app/models/merge_request_diff.rb
View File

@ -8,12 +8,15 @@ class MergeRequestDiff < ApplicationRecord
include Gitlab::Utils::StrongMemoize
include BulkInsertableAssociations
include ShaAttribute
include ObjectStorable
ignore_columns %i[
id_convert_to_bigint
merge_request_id_convert_to_bigint
], remove_with: '18.3', remove_after: '2025-07-17'
STORE_COLUMN = :external_diff_store
# Don't display more than 100 commits at once
COMMITS_SAFE_SIZE = 100
BATCH_SIZE = 1000

9
app/services/projects/create_service.rb
View File

@ -13,6 +13,7 @@ module Projects
@params = params.dup
@skip_wiki = @params.delete(:skip_wiki)
@initialize_with_sast = Gitlab::Utils.to_boolean(@params.delete(:initialize_with_sast))
@initialize_with_secret_detection = Gitlab::Utils.to_boolean(@params.delete(:initialize_with_secret_detection))
@initialize_with_readme = Gitlab::Utils.to_boolean(@params.delete(:initialize_with_readme))
@import_data = @params.delete(:import_data)
@relations_block = @params.delete(:relations_block)
@ -147,6 +148,7 @@ module Projects
create_readme if @initialize_with_readme
create_sast_commit if @initialize_with_sast
create_secret_detection_commit if @initialize_with_secret_detection
publish_event
end
@ -213,6 +215,13 @@ module Projects
::Security::CiConfiguration::SastCreateService.new(@project, current_user, { initialize_with_sast: true }, commit_on_default: true).execute
end
def create_secret_detection_commit
params = { initialize_with_secret_detection: true }
params[:sast_also_enabled] = true if @initialize_with_sast
::Security::CiConfiguration::SecretDetectionCreateService.new(@project, current_user, params, commit_on_default: true).execute
end
def execute_hooks
system_hook_service.execute_hooks_for(@project, :create)
end

4
app/services/security/ci_configuration/base_create_service.rb
View File

@ -14,7 +14,9 @@ module Security
end
def execute
if project.repository.empty? && !(@params && @params[:initialize_with_sast])
if project.repository.empty? &&
!(@params && (@params[:initialize_with_sast] ||
@params[:initialize_with_secret_detection]))
docs_link = ActionController::Base.helpers.link_to(
_('add at least one file to the repository'),
Rails.application.routes.url_helpers.help_page_url(

22
app/services/security/ci_configuration/secret_detection_create_service.rb
View File

@ -3,11 +3,27 @@
module Security
module CiConfiguration
class SecretDetectionCreateService < ::Security::CiConfiguration::BaseCreateService
attr_reader :params
def initialize(project, current_user, params = {}, commit_on_default: false)
super(project, current_user)
@params = params
@sast_also_enabled = @params.delete(:sast_also_enabled)
@commit_on_default = commit_on_default
@branch_name = project.default_branch if @commit_on_default
end
private
def remove_branch_on_exception
super unless @commit_on_default
end
def action
Security::CiConfiguration::SecretDetectionBuildAction.new(
project.auto_devops_enabled?,
params,
existing_gitlab_ci_content,
project.ci_config_path
).generate
@ -18,7 +34,11 @@ module Security
end
def message
_('Configure Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist')
if @sast_also_enabled
_('Configure SAST and Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist')
else
_('Configure Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist')
end
end
def description

9
app/views/projects/_new_project_fields.html.haml
View File

@ -92,6 +92,15 @@
= s_('ProjectsNew|Analyze your source code for known security vulnerabilities.')
= link_to _('Learn more.'), help_page_path('user/application_security/sast/_index.md'), target: '_blank', rel: 'noopener noreferrer', data: { track_action: 'followed' }
.form-group
= render Pajamas::CheckboxTagComponent.new(name: 'project[initialize_with_secret_detection]',
checkbox_options: { data: { testid: 'initialize-with-secret-detection-checkbox' } }) do |c|
- c.with_label do
= s_('ProjectsNew|Enable Secret Detection')
- c.with_help_text do
= s_('ProjectsNew|Scan your code for secrets and credentials to prevent unauthorized access.')
= link_to _('Learn more.'), help_page_path('user/application_security/secret_detection/_index.md'), target: '_blank', rel: 'noopener noreferrer'
- if display_sha256_repository
#js-experimental-setting-accordion.form-group.gl-mb-6
= render Pajamas::AccordionItemComponent.new(title: s_("ProjectsNew|Experimental settings"), state: :closed) do

9
config/feature_flags/gitlab_com_derisk/track_sidekiq_concurrency_limit_execution.yml
View File

@ -1,9 +0,0 @@
---
name: track_sidekiq_concurrency_limit_execution
feature_issue_url: https://gitlab.com/gitlab-com/gl-infra/data-access/durability/team/-/issues/135
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188415
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/527022
milestone: '18.0'
group: group::durability
type: gitlab_com_derisk
default_enabled: false

2
doc/administration/auditor_users.md
View File

@ -67,7 +67,7 @@ If you are signed in with auditor access, you:
you can push commits or comment on issues.
- Can access the same resources using the GitLab UI or API.
- Can't view the **Admin** area, or perform any administration actions.
- Can't view job logs when [debug logging](../ci/variables/_index.md#enable-debug-logging) is enabled.
- Can't view job logs when [debug logging](../ci/variables/variables_troubleshooting.md#enable-debug-logging) is enabled.
## Maintain auditor users using API

1
doc/administration/auth/ldap/_index.md
View File

@ -2,6 +2,7 @@
stage: Software Supply Chain Security
group: Authentication
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Integrate LDAP with GitLab
---

1
doc/administration/auth/ldap/ldap_synchronization.md
View File

@ -2,6 +2,7 @@
stage: Software Supply Chain Security
group: Authentication
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: LDAP synchronization
---

1
doc/administration/geo/disaster_recovery/background_verification.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Automatic background verification
---

1
doc/administration/geo/replication/datatypes.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Supported Geo data types
---

1
doc/administration/geo/replication/faq.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Geo Frequently Asked Questions
---

1
doc/administration/geo/replication/geo_validation_tests.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Geo validation tests
---

1
doc/administration/geo/replication/object_storage.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Geo with Object storage
---

1
doc/administration/geo/replication/tuning.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Tuning Geo
---

1
doc/administration/geo_sites.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Geo sites Admin area
---

1
doc/administration/incoming_email.md
View File

@ -2,6 +2,7 @@
stage: Plan
group: Project Management
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Incoming email
---

1
doc/administration/integration/mailgun.md
View File

@ -2,6 +2,7 @@
stage: Plan
group: Project Management
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Mailgun
---

1
doc/administration/integration/plantuml.md
View File

@ -2,6 +2,7 @@
stage: Create
group: Source Code
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
description: Configure PlantUML integration with GitLab Self-Managed.
title: PlantUML
---

1
doc/administration/monitoring/health_check.md
View File

@ -2,6 +2,7 @@
stage: none
group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Health check
---

1
doc/administration/monitoring/performance/_index.md
View File

@ -2,6 +2,7 @@
stage: Systems
group: Cloud Connector
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: GitLab Performance Monitoring
---

1
doc/administration/object_storage.md
View File

@ -2,6 +2,7 @@
stage: GitLab Delivery
group: Self Managed
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Object storage
---

1
doc/administration/operations/fast_ssh_key_lookup.md
View File

@ -2,6 +2,7 @@
stage: Create
group: Source Code
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
description: Configure a faster SSH authorization method for GitLab instances with many users.
title: Fast lookup of SSH keys
---

1
doc/administration/raketasks/ldap.md
View File

@ -2,6 +2,7 @@
stage: Software Supply Chain Security
group: Authentication
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: LDAP Rake tasks
---

1
doc/administration/repository_storage_paths.md
View File

@ -2,6 +2,7 @@
stage: Data Access
group: Gitaly
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Repository storage
---

1
doc/api/group_ldap_links.md
View File

@ -2,6 +2,7 @@
stage: Tenant Scale
group: Organizations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: LDAP group links
---

8
doc/ci/debugging.md
View File

@ -26,7 +26,7 @@ for that feature:
- [Caching](caching/_index.md#troubleshooting).
- [CI/CD job tokens](jobs/ci_job_token.md#troubleshooting).
- [Container registry](../user/packages/container_registry/troubleshoot_container_registry.md).
- [Docker](docker/using_docker_build.md#troubleshooting).
- [Docker](docker/docker_build_troubleshooting.md).
- [Downstream pipelines](pipelines/downstream_pipelines_troubleshooting.md).
- [Environments](environments/_index.md#troubleshooting).
- [GitLab Runner](https://docs.gitlab.com/runner/faq/).
@ -37,9 +37,9 @@ for that feature:
[merged results pipelines](pipelines/merged_results_pipelines.md#troubleshooting),
and [merge trains](pipelines/merge_trains.md#troubleshooting).
- [Pipeline editor](pipeline_editor/_index.md#troubleshooting).
- [Variables](variables/_index.md#troubleshooting).
- [Variables](variables/variables_troubleshooting.md).
- [YAML `includes` keyword](yaml/includes.md#troubleshooting).
- [YAML `script` keyword](yaml/script.md#troubleshooting).
- [YAML `script` keyword](yaml/script_troubleshooting.md).
## Debugging techniques
@ -122,7 +122,7 @@ pipeline, and what their values are. A lot of pipeline configuration is dependen
on variables, and verifying them is one of the fastest ways to find the source of
a problem.
[Export the full list of variables](variables/_index.md#list-all-variables)
[Export the full list of variables](variables/variables_troubleshooting.md#list-all-variables)
available in each problematic job. Check if the variables you expect are present,
and check if their values are what you expect.

205
doc/ci/docker/docker_build_troubleshooting.md Normal file
View File

@ -0,0 +1,205 @@
---
stage: Verify
group: Pipeline Execution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
title: Troubleshooting Docker Build
---
## Error: `docker: Cannot connect to the Docker daemon at tcp://docker:2375`
This error is common when you are using [Docker-in-Docker](using_docker_build.md#use-docker-in-docker)
v19.03 or later:
```plaintext
docker: Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?
```
This error occurs because Docker starts on TLS automatically.
- If this is your first time setting it up, see
[use the Docker executor with the Docker image](using_docker_build.md#use-docker-in-docker).
- If you are upgrading from v18.09 or earlier, see the
[upgrade guide](https://about.gitlab.com/blog/2019/07/31/docker-in-docker-with-docker-19-dot-03/).
This error can also occur with the [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes/#using-dockerdind) when attempts are made to access the Docker-in-Docker service before it has fully started up. For a more detailed explanation, see [issue 27215](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27215).
## Docker `no such host` error
You might get an error that says
`docker: error during connect: Post https://docker:2376/v1.40/containers/create: dial tcp: lookup docker on x.x.x.x:53: no such host`.
This issue can occur when the service's image name
[includes a registry hostname](../services/_index.md#available-settings-for-services). For example:
```yaml
default:
image: docker:24.0.5
services:
- registry.hub.docker.com/library/docker:24.0.5-dind
```
A service's hostname is [derived from the full image name](../services/_index.md#accessing-the-services).
However, the shorter service hostname `docker` is expected.
To allow service resolution and access, add an explicit alias for the service name `docker`:
```yaml
default:
image: docker:24.0.5
services:
- name: registry.hub.docker.com/library/docker:24.0.5-dind
alias: docker
```
## Error: `Cannot connect to the Docker daemon at unix:///var/run/docker.sock`
You might get the following error when trying to run a `docker` command
to access a `dind` service:
```shell
$ docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
```
Make sure your job has defined these environment variables:
- `DOCKER_HOST`
- `DOCKER_TLS_CERTDIR` (optional)
- `DOCKER_TLS_VERIFY` (optional)
You may also want to update the image that provides the Docker
client. For example, the [`docker/compose` images are obsolete](https://hub.docker.com/r/docker/compose) and should be
replaced with [`docker`](https://hub.docker.com/_/docker).
As described in [runner issue 30944](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/30944#note_1514250909),
this error can happen if your job previously relied on environment variables derived from the deprecated
[Docker `--link` parameter](https://docs.docker.com/network/links/#environment-variables),
such as `DOCKER_PORT_2375_TCP`. Your job fails with this error if:
- Your CI/CD image relies on a legacy variable, such as `DOCKER_PORT_2375_TCP`.
- The [runner feature flag `FF_NETWORK_PER_BUILD`](https://docs.gitlab.com/runner/configuration/feature-flags.html) is set to `true`.
- `DOCKER_HOST` is not explicitly set.
## Error: `unauthorized: incorrect username or password`
This error appears when you use the deprecated variable, `CI_BUILD_TOKEN`:
```plaintext
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
```
To prevent users from receiving this error, you should:
- Use [CI_JOB_TOKEN](../jobs/ci_job_token.md) instead.
- Change from `gitlab-ci-token/CI_BUILD_TOKEN` to `$CI_REGISTRY_USER/$CI_REGISTRY_PASSWORD`.
## Error during connect: `no such host`
This error appears when the `dind` service has failed to start:
```plaintext
error during connect: Post "https://docker:2376/v1.24/auth": dial tcp: lookup docker on 127.0.0.11:53: no such host
```
Check the job log to see if `mount: permission denied (are you root?)`
appears. For example:
```plaintext
Service container logs:
2023-08-01T16:04:09.541703572Z Certificate request self-signature ok
2023-08-01T16:04:09.541770852Z subject=CN = docker:dind server
2023-08-01T16:04:09.556183222Z /certs/server/cert.pem: OK
2023-08-01T16:04:10.641128729Z Certificate request self-signature ok
2023-08-01T16:04:10.641173149Z subject=CN = docker:dind client
2023-08-01T16:04:10.656089908Z /certs/client/cert.pem: OK
2023-08-01T16:04:10.659571093Z ip: can't find device 'ip_tables'
2023-08-01T16:04:10.660872131Z modprobe: can't change directory to '/lib/modules': No such file or directory
2023-08-01T16:04:10.664620455Z mount: permission denied (are you root?)
2023-08-01T16:04:10.664692175Z Could not mount /sys/kernel/security.
2023-08-01T16:04:10.664703615Z AppArmor detection and --privileged mode might break.
2023-08-01T16:04:10.665952353Z mount: permission denied (are you root?)
```
This indicates the GitLab Runner does not have permission to start the
`dind` service:
1. Check that `privileged = true` is set in the `config.toml`.
1. Make sure the CI job has the right Runner tags to use these
privileged runners.
## Error: `cgroups: cgroup mountpoint does not exist: unknown`
There is a known incompatibility introduced by Docker Engine 20.10.
When the host uses Docker Engine 20.10 or later, then the `docker:dind` service in a version older than 20.10 does
not work as expected.
While the service itself will start without problems, trying to build the container image results in the error:
```plaintext
cgroups: cgroup mountpoint does not exist: unknown
```
To resolve this issue, update the `docker:dind` container to version at least 20.10.x,
for example `docker:24.0.5-dind`.
The opposite configuration (`docker:24.0.5-dind` service and Docker Engine on the host in version
19.06.x or older) works without problems. For the best strategy, you should to frequently test and update
job environment versions to the newest. This brings new features, improved security and - for this specific
case - makes the upgrade on the underlying Docker Engine on the runner's host transparent for the job.
## Error: `failed to verify certificate: x509: certificate signed by unknown authority`
This error can appear when Docker commands like `docker build` or `docker pull` are executed in a Docker-in-Docker
environment where custom or private certificates are used (for example, Zscaler certificates):
```plaintext
error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate signed by unknown authority
```
This error occurs because Docker commands in a Docker-in-Docker environment
use two separate containers:
- The **build container** runs the Docker client (`/usr/bin/docker`) and executes your job's script commands.
- The **service container** (often named `svc`) runs the Docker daemon that processes most Docker commands.
When your organization uses custom certificates, both containers need these certificates.
Without proper certificate configuration in both containers, Docker operations that connect to external
registries or services will fail with certificate errors.
To resolve this issue:
1. Store your root certificate as a [CI/CD variable](../variables/_index.md#define-a-cicd-variable-in-the-ui) named `CA_CERTIFICATE`.
The certificate should be in this format:
```plaintext
-----BEGIN CERTIFICATE-----
(certificate content)
-----END CERTIFICATE-----
```
1. Configure your pipeline to install the certificate in the service container before starting the Docker daemon. For example:
```yaml
image_build:
stage: build
image:
name: docker:19.03
variables:
DOCKER_HOST: tcp://localhost:2375
DOCKER_TLS_CERTDIR: ""
CA_CERTIFICATE: "$CA_CERTIFICATE"
services:
- name: docker:19.03-dind
command:
- /bin/sh
- -c
- |
echo "$CA_CERTIFICATE" > /usr/local/share/ca-certificates/custom-ca.crt && \
update-ca-certificates && \
dockerd-entrypoint.sh || exit
script:
- docker info
- docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD $DOCKER_REGISTRY
- docker build -t "${DOCKER_REGISTRY}/my-app:${CI_COMMIT_REF_NAME}" .
- docker push "${DOCKER_REGISTRY}/my-app:${CI_COMMIT_REF_NAME}"
```

201
doc/ci/docker/using_docker_build.md
View File

@ -801,204 +801,3 @@ If you are using GitLab Runner Operator deployed to an OpenShift cluster, try th
After you've built a Docker image, you can push it to the
[GitLab container registry](../../user/packages/container_registry/build_and_push_images.md#use-gitlab-cicd).
## Troubleshooting
### Error: `docker: Cannot connect to the Docker daemon at tcp://docker:2375`
This error is common when you are using [Docker-in-Docker](#use-docker-in-docker)
v19.03 or later:
```plaintext
docker: Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?
```
This error occurs because Docker starts on TLS automatically.
- If this is your first time setting it up, see
[use the Docker executor with the Docker image](#use-docker-in-docker).
- If you are upgrading from v18.09 or earlier, see the
[upgrade guide](https://about.gitlab.com/blog/2019/07/31/docker-in-docker-with-docker-19-dot-03/).
This error can also occur with the [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes/#using-dockerdind) when attempts are made to access the Docker-in-Docker service before it has fully started up. For a more detailed explanation, see [issue 27215](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27215).
### Docker `no such host` error
You might get an error that says
`docker: error during connect: Post https://docker:2376/v1.40/containers/create: dial tcp: lookup docker on x.x.x.x:53: no such host`.
This issue can occur when the service's image name
[includes a registry hostname](../services/_index.md#available-settings-for-services). For example:
```yaml
default:
image: docker:24.0.5
services:
- registry.hub.docker.com/library/docker:24.0.5-dind
```
A service's hostname is [derived from the full image name](../services/_index.md#accessing-the-services).
However, the shorter service hostname `docker` is expected.
To allow service resolution and access, add an explicit alias for the service name `docker`:
```yaml
default:
image: docker:24.0.5
services:
- name: registry.hub.docker.com/library/docker:24.0.5-dind
alias: docker
```
### Error: `Cannot connect to the Docker daemon at unix:///var/run/docker.sock`
You might get the following error when trying to run a `docker` command
to access a `dind` service:
```shell
$ docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
```
Make sure your job has defined these environment variables:
- `DOCKER_HOST`
- `DOCKER_TLS_CERTDIR` (optional)
- `DOCKER_TLS_VERIFY` (optional)
You may also want to update the image that provides the Docker
client. For example, the [`docker/compose` images are obsolete](https://hub.docker.com/r/docker/compose) and should be
replaced with [`docker`](https://hub.docker.com/_/docker).
As described in [runner issue 30944](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/30944#note_1514250909),
this error can happen if your job previously relied on environment variables derived from the deprecated
[Docker `--link` parameter](https://docs.docker.com/network/links/#environment-variables),
such as `DOCKER_PORT_2375_TCP`. Your job fails with this error if:
- Your CI/CD image relies on a legacy variable, such as `DOCKER_PORT_2375_TCP`.
- The [runner feature flag `FF_NETWORK_PER_BUILD`](https://docs.gitlab.com/runner/configuration/feature-flags.html) is set to `true`.
- `DOCKER_HOST` is not explicitly set.
### Error: `unauthorized: incorrect username or password`
This error appears when you use the deprecated variable, `CI_BUILD_TOKEN`:
```plaintext
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
```
To prevent users from receiving this error, you should:
- Use [CI_JOB_TOKEN](../jobs/ci_job_token.md) instead.
- Change from `gitlab-ci-token/CI_BUILD_TOKEN` to `$CI_REGISTRY_USER/$CI_REGISTRY_PASSWORD`.
### Error during connect: `no such host`
This error appears when the `dind` service has failed to start:
```plaintext
error during connect: Post "https://docker:2376/v1.24/auth": dial tcp: lookup docker on 127.0.0.11:53: no such host
```
Check the job log to see if `mount: permission denied (are you root?)`
appears. For example:
```plaintext
Service container logs:
2023-08-01T16:04:09.541703572Z Certificate request self-signature ok
2023-08-01T16:04:09.541770852Z subject=CN = docker:dind server
2023-08-01T16:04:09.556183222Z /certs/server/cert.pem: OK
2023-08-01T16:04:10.641128729Z Certificate request self-signature ok
2023-08-01T16:04:10.641173149Z subject=CN = docker:dind client
2023-08-01T16:04:10.656089908Z /certs/client/cert.pem: OK
2023-08-01T16:04:10.659571093Z ip: can't find device 'ip_tables'
2023-08-01T16:04:10.660872131Z modprobe: can't change directory to '/lib/modules': No such file or directory
2023-08-01T16:04:10.664620455Z mount: permission denied (are you root?)
2023-08-01T16:04:10.664692175Z Could not mount /sys/kernel/security.
2023-08-01T16:04:10.664703615Z AppArmor detection and --privileged mode might break.
2023-08-01T16:04:10.665952353Z mount: permission denied (are you root?)
```
This indicates the GitLab Runner does not have permission to start the
`dind` service:
1. Check that `privileged = true` is set in the `config.toml`.
1. Make sure the CI job has the right Runner tags to use these
privileged runners.
### Error: `cgroups: cgroup mountpoint does not exist: unknown`
There is a known incompatibility introduced by Docker Engine 20.10.
When the host uses Docker Engine 20.10 or later, then the `docker:dind` service in a version older than 20.10 does
not work as expected.
While the service itself will start without problems, trying to build the container image results in the error:
```plaintext
cgroups: cgroup mountpoint does not exist: unknown
```
To resolve this issue, update the `docker:dind` container to version at least 20.10.x,
for example `docker:24.0.5-dind`.
The opposite configuration (`docker:24.0.5-dind` service and Docker Engine on the host in version
19.06.x or older) works without problems. For the best strategy, you should to frequently test and update
job environment versions to the newest. This brings new features, improved security and - for this specific
case - makes the upgrade on the underlying Docker Engine on the runner's host transparent for the job.
### Error: `failed to verify certificate: x509: certificate signed by unknown authority`
This error can appear when Docker commands like `docker build` or `docker pull` are executed in a Docker-in-Docker
environment where custom or private certificates are used (for example, Zscaler certificates):
```plaintext
error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate signed by unknown authority
```
This error occurs because Docker commands in a Docker-in-Docker environment
use two separate containers:
- The **build container** runs the Docker client (`/usr/bin/docker`) and executes your job's script commands.
- The **service container** (often named `svc`) runs the Docker daemon that processes most Docker commands.
When your organization uses custom certificates, both containers need these certificates.
Without proper certificate configuration in both containers, Docker operations that connect to external
registries or services will fail with certificate errors.
To resolve this issue:
1. Store your root certificate as a [CI/CD variable](../variables/_index.md#define-a-cicd-variable-in-the-ui) named `CA_CERTIFICATE`.
The certificate should be in this format:
```plaintext
-----BEGIN CERTIFICATE-----
(certificate content)
-----END CERTIFICATE-----
```
1. Configure your pipeline to install the certificate in the service container before starting the Docker daemon. For example:
```yaml
image_build:
stage: build
image:
name: docker:19.03
variables:
DOCKER_HOST: tcp://localhost:2375
DOCKER_TLS_CERTDIR: ""
CA_CERTIFICATE: "$CA_CERTIFICATE"
services:
- name: docker:19.03-dind
command:
- /bin/sh
- -c
- |
echo "$CA_CERTIFICATE" > /usr/local/share/ca-certificates/custom-ca.crt && \
update-ca-certificates && \
dockerd-entrypoint.sh || exit
script:
- docker info
- docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD $DOCKER_REGISTRY
- docker build -t "${DOCKER_REGISTRY}/my-app:${CI_COMMIT_REF_NAME}" .
- docker push "${DOCKER_REGISTRY}/my-app:${CI_COMMIT_REF_NAME}"
```

2
doc/ci/jobs/job_artifacts_troubleshooting.md
View File

@ -38,7 +38,7 @@ the path to the file is incorrect, or the file was not created. You can check th
log for other errors or warnings that specify the filename and why it wasn't
generated.
For more detailed job logs, you can [enable CI/CD debug logging](../variables/_index.md#enable-debug-logging)
For more detailed job logs, you can [enable CI/CD debug logging](../variables/variables_troubleshooting.md#enable-debug-logging)
and try the job again. This logging might provide more information about why the file
wasn't created.

2
doc/ci/jobs/ssh_keys.md
View File

@ -44,7 +44,7 @@ To create and use an SSH key in GitLab CI/CD:
In the following example, the `ssh-add -` command does not display the value of
`$SSH_PRIVATE_KEY` in the job log, though it could be exposed if you enable
[debug logging](../variables/_index.md#enable-debug-logging). You might also want to
[debug logging](../variables/variables_troubleshooting.md#enable-debug-logging). You might also want to
check the [visibility of your pipelines](../pipelines/settings.md#change-which-users-can-view-your-pipelines).
## SSH keys when using the Docker executor

258
doc/ci/variables/_index.md
View File

@ -1026,261 +1026,3 @@ When the runner executes the job:
- You can [pass CI/CD variables to downstream pipelines](../pipelines/downstream_pipelines.md#pass-cicd-variables-to-a-downstream-pipeline).
Use [`trigger:forward` keyword](../yaml/_index.md#triggerforward) to specify what type of variables
to pass to the downstream pipeline.
## Troubleshooting
### List all variables
You can list all variables available to a script with the `export` command
in Bash or `dir env:` in PowerShell. This exposes the values of **all** available
variables, which can be a [security risk](#cicd-variable-security).
[Masked variables](#mask-a-cicd-variable) display as `[MASKED]`.
For example, with Bash:
```yaml
job_name:
script:
- export
```
Example job log output (truncated):
```shell
export CI_JOB_ID="50"
export CI_COMMIT_SHA="1ecfd275763eff1d6b4844ea3168962458c9f27a"
export CI_COMMIT_SHORT_SHA="1ecfd275"
export CI_COMMIT_REF_NAME="main"
export CI_REPOSITORY_URL="https://gitlab-ci-token:[MASKED]@example.com/gitlab-org/gitlab.git"
export CI_COMMIT_TAG="1.0.0"
export CI_JOB_NAME="spec:other"
export CI_JOB_STAGE="test"
export CI_JOB_MANUAL="true"
export CI_JOB_TRIGGERED="true"
export CI_JOB_TOKEN="[MASKED]"
export CI_PIPELINE_ID="1000"
export CI_PIPELINE_IID="10"
export CI_PAGES_DOMAIN="gitlab.io"
export CI_PAGES_URL="https://gitlab-org.gitlab.io/gitlab"
export CI_PROJECT_ID="34"
export CI_PROJECT_DIR="/builds/gitlab-org/gitlab"
export CI_PROJECT_NAME="gitlab"
export CI_PROJECT_TITLE="GitLab"
...
```
### Enable debug logging
{{< alert type="warning" >}}
Debug logging can be a serious security risk. The output contains the content of
all variables available to the job. The output is uploaded to the
GitLab server and visible in job logs.
{{< /alert >}}
You can use debug logging to help troubleshoot problems with pipeline configuration
or job scripts. Debug logging exposes job execution details that are usually hidden
by the runner and makes job logs more verbose. It also exposes all variables and secrets
available to the job.
Before you enable debug logging, make sure only team members
can view job logs. You should also [delete job logs](../jobs/_index.md#view-jobs-in-a-pipeline)
with debug output before you make logs public again.
To enable debug logging, set the `CI_DEBUG_TRACE` variable to `true`:
```yaml
job_name:
variables:
CI_DEBUG_TRACE: "true"
```
Example output (truncated):
```plaintext
...
export CI_SERVER_TLS_CA_FILE="/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE"
if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
echo $'\''\x1b[32;1mFetching changes...\x1b[0;m'\''
$'\''cd'\'' "/builds/gitlab-examples/ci-debug-trace"
$'\''git'\'' "config" "fetch.recurseSubmodules" "false"
$'\''rm'\'' "-f" ".git/index.lock"
$'\''git'\'' "clean" "-ffdx"
$'\''git'\'' "reset" "--hard"
$'\''git'\'' "remote" "set-url" "origin" "https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@example.com/gitlab-examples/ci-debug-trace.git"
$'\''git'\'' "fetch" "origin" "--prune" "+refs/heads/*:refs/remotes/origin/*" "+refs/tags/*:refs/tags/lds"
++ CI_BUILDS_DIR=/builds
++ export CI_PROJECT_DIR=/builds/gitlab-examples/ci-debug-trace
++ CI_PROJECT_DIR=/builds/gitlab-examples/ci-debug-trace
++ export CI_CONCURRENT_ID=87
++ CI_CONCURRENT_ID=87
++ export CI_CONCURRENT_PROJECT_ID=0
++ CI_CONCURRENT_PROJECT_ID=0
++ export CI_SERVER=yes
++ CI_SERVER=yes
++ mkdir -p /builds/gitlab-examples/ci-debug-trace.tmp
++ echo -n '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----'
++ export CI_SERVER_TLS_CA_FILE=/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE
++ CI_SERVER_TLS_CA_FILE=/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE
++ export CI_PIPELINE_ID=52666
++ CI_PIPELINE_ID=52666
++ export CI_PIPELINE_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/pipelines/52666
++ CI_PIPELINE_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/pipelines/52666
++ export CI_JOB_ID=7046507
++ CI_JOB_ID=7046507
++ export CI_JOB_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655
++ CI_JOB_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655
++ export CI_JOB_TOKEN=[MASKED]
++ CI_JOB_TOKEN=[MASKED]
++ export CI_REGISTRY_USER=gitlab-ci-token
++ CI_REGISTRY_USER=gitlab-ci-token
++ export CI_REGISTRY_PASSWORD=[MASKED]
++ CI_REGISTRY_PASSWORD=[MASKED]
++ export CI_REPOSITORY_URL=https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git
++ CI_REPOSITORY_URL=https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git
++ export CI_JOB_NAME=debug_trace
++ CI_JOB_NAME=debug_trace
++ export CI_JOB_STAGE=test
++ CI_JOB_STAGE=test
++ export CI_NODE_TOTAL=1
++ CI_NODE_TOTAL=1
++ export CI=true
++ CI=true
++ export GITLAB_CI=true
++ GITLAB_CI=true
++ export CI_SERVER_URL=https://gitlab.com:3000
++ CI_SERVER_URL=https://gitlab.com:3000
++ export CI_SERVER_HOST=gitlab.com
++ CI_SERVER_HOST=gitlab.com
++ export CI_SERVER_PORT=3000
++ CI_SERVER_PORT=3000
++ export CI_SERVER_SHELL_SSH_HOST=gitlab.com
++ CI_SERVER_SHELL_SSH_HOST=gitlab.com
++ export CI_SERVER_SHELL_SSH_PORT=22
++ CI_SERVER_SHELL_SSH_PORT=22
++ export CI_SERVER_PROTOCOL=https
++ CI_SERVER_PROTOCOL=https
++ export CI_SERVER_NAME=GitLab
++ CI_SERVER_NAME=GitLab
++ export GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,wip_limits,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal
++ GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,wip_limits,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,cluster_health,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal
++ export CI_PROJECT_ID=17893
++ CI_PROJECT_ID=17893
++ export CI_PROJECT_NAME=ci-debug-trace
++ CI_PROJECT_NAME=ci-debug-trace
...
```
#### Access to debug logging
Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#cicd). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
- The [`.gitlab-ci.yml` file](#define-a-cicd-variable-in-the-gitlab-ciyml-file).
- The CI/CD variables set in the GitLab UI.
{{< alert type="warning" >}}
If you add `CI_DEBUG_TRACE` as a local variable to runners, debug logs generate and are visible
to all users with access to job logs. The permission levels are not checked by the runner,
so you should only use the variable in GitLab itself.
{{< /alert >}}
### "argument list too long"
This issue occurs when the combined length of all CI/CD variables defined for a job exceeds the limit imposed by the
shell where the job executes. This includes the names and values of pre-defined and user defined variables. This limit
is typically referred to as `ARG_MAX`, and is shell and operating system dependent. This issue also occurs when the
content of a single [File-type](#use-file-type-cicd-variables) variable exceeds `ARG_MAX`.
For more information, see [issue 392406](https://gitlab.com/gitlab-org/gitlab/-/issues/392406#note_1414219596).
As a workaround you can either:
- Use [File-type](#use-file-type-cicd-variables) CI/CD variables for large environment variables where possible.
- If a single large variable is larger than `ARG_MAX`, try using [Secure Files](../secure_files/_index.md), or
bring the file to the job through some other mechanism.
### `Insufficient permissions to set pipeline variables` error for a downstream pipeline
When triggering a downstream pipeline, you might get this error unexpectedly:
```plaintext
Failed - (downstream pipeline can not be created, Insufficient permissions to set pipeline variables)
```
This error occurs when a downstream project has [restricted pipeline variables](#restrict-pipeline-variables) and the trigger job either:
- Has variables defined. For example:
```yaml
trigger-job:
variables:
VAR_FOR_DOWNSTREAM: "test"
trigger: my-group/my-project
```
- Receives variables from [default variables](../yaml/_index.md#default-variables) defined in a top-level `variables` section. For example:
```yaml
variables:
DEFAULT_VAR: "test"
trigger-job:
trigger: my-group/my-project
```
Variables passed to a downstream pipeline in a trigger job are [pipeline variables](#use-pipeline-variables),
so the workaround is to either:
- Remove the `variables` defined in the trigger job to avoid passing variables.
- [Prevent default variables from being passed to the downstream pipeline](../pipelines/downstream_pipelines.md#prevent-default-variables-from-being-passed).
### Default variable doesn't expand in job variable of the same name
You cannot use a default variable's value in a job variable of the same name. A default variable
is only made available to a job when the job does not have a variable defined with the same name.
If the job has a variable with the same name, the job's variable takes precedence
and the default variable is not available in the job.
For example, these two samples are equivalent:
- In this sample, `$MY_VAR` has no value because it's not defined anywhere:
```yaml
Job-with-variable:
variables:
MY_VAR: $MY_VAR
script: echo "Value is '$MY_VAR'"
```
- In this sample, `$MY_VAR` has no value because the default variable with the same name
is not available in the job:
```yaml
variables:
MY_VAR: "Default value"
Job-with-same-name-variable:
variables:
MY_VAR: $MY_VAR
script: echo "Value is '$MY_VAR'"
```
In both cases, the echo command outputs `Value is '$MY_VAR'`.
In general, you should use the default variable directly in a job rather than reassigning its value to a new variable.
If you need to do this, use variables with different names instead. For example:
```yaml
variables:
MY_VAR1: "Default value1"
MY_VAR2: "Default value2"
overwrite-same-name:
variables:
MY_VAR2_FROM_DEFAULTS: $MY_VAR2
script: echo "Values are '$MY_VAR1' and '$MY_VAR2_FROM_DEFAULTS'"
```

4
doc/ci/variables/predefined_variables.md
View File

@ -62,7 +62,7 @@ Predefined variables become available at three different phases of pipeline exec
| `CI_CONCURRENT_ID` | Job-only | The unique ID of build execution in a single executor. |
| `CI_CONCURRENT_PROJECT_ID` | Job-only | The unique ID of build execution in a single executor and project. |
| `CI_CONFIG_PATH` | Pre-pipeline | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. |
| `CI_DEBUG_TRACE` | Pipeline | `true` if [debug logging (tracing)](_index.md#enable-debug-logging) is enabled. |
| `CI_DEBUG_TRACE` | Pipeline | `true` if [debug logging (tracing)](variables_troubleshooting.md#enable-debug-logging) is enabled. |
| `CI_DEBUG_SERVICES` | Pipeline | `true` if [service container logging](../services/_index.md#capturing-service-container-logs) is enabled. Introduced in GitLab 15.7. Requires GitLab Runner 15.7. |
| `CI_DEFAULT_BRANCH` | Pre-pipeline | The name of the project's default branch. |
| `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` | Pre-pipeline | The direct group image prefix for pulling images through the Dependency Proxy. |
@ -271,5 +271,5 @@ as [job-only predefined variables](#variable-availability):
## Troubleshooting
You can [output the values of all variables available for a job](_index.md#list-all-variables)
You can [output the values of all variables available for a job](variables_troubleshooting.md#list-all-variables)
with a `script` command.

262
doc/ci/variables/variables_troubleshooting.md Normal file
View File

@ -0,0 +1,262 @@
---
stage: Verify
group: Pipeline Authoring
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
title: Troubleshooting CI/CD variables
---
## List all variables
You can list all variables available to a script with the `export` command
in Bash or `dir env:` in PowerShell. This exposes the values of **all** available
variables, which can be a [security risk](_index.md#cicd-variable-security).
[Masked variables](_index.md#mask-a-cicd-variable) display as `[MASKED]`.
For example, with Bash:
```yaml
job_name:
script:
- export
```
Example job log output (truncated):
```shell
export CI_JOB_ID="50"
export CI_COMMIT_SHA="1ecfd275763eff1d6b4844ea3168962458c9f27a"
export CI_COMMIT_SHORT_SHA="1ecfd275"
export CI_COMMIT_REF_NAME="main"
export CI_REPOSITORY_URL="https://gitlab-ci-token:[MASKED]@example.com/gitlab-org/gitlab.git"
export CI_COMMIT_TAG="1.0.0"
export CI_JOB_NAME="spec:other"
export CI_JOB_STAGE="test"
export CI_JOB_MANUAL="true"
export CI_JOB_TRIGGERED="true"
export CI_JOB_TOKEN="[MASKED]"
export CI_PIPELINE_ID="1000"
export CI_PIPELINE_IID="10"
export CI_PAGES_DOMAIN="gitlab.io"
export CI_PAGES_URL="https://gitlab-org.gitlab.io/gitlab"
export CI_PROJECT_ID="34"
export CI_PROJECT_DIR="/builds/gitlab-org/gitlab"
export CI_PROJECT_NAME="gitlab"
export CI_PROJECT_TITLE="GitLab"
...
```
## Enable debug logging
{{< alert type="warning" >}}
Debug logging can be a serious security risk. The output contains the content of
all variables available to the job. The output is uploaded to the
GitLab server and visible in job logs.
{{< /alert >}}
You can use debug logging to help troubleshoot problems with pipeline configuration
or job scripts. Debug logging exposes job execution details that are usually hidden
by the runner and makes job logs more verbose. It also exposes all variables and secrets
available to the job.
Before you enable debug logging, make sure only team members
can view job logs. You should also [delete job logs](../jobs/_index.md#view-jobs-in-a-pipeline)
with debug output before you make logs public again.
To enable debug logging, set the `CI_DEBUG_TRACE` variable to `true`:
```yaml
job_name:
variables:
CI_DEBUG_TRACE: "true"
```
Example output (truncated):
```plaintext
...
export CI_SERVER_TLS_CA_FILE="/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE"
if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
echo $'\''\x1b[32;1mFetching changes...\x1b[0;m'\''
$'\''cd'\'' "/builds/gitlab-examples/ci-debug-trace"
$'\''git'\'' "config" "fetch.recurseSubmodules" "false"
$'\''rm'\'' "-f" ".git/index.lock"
$'\''git'\'' "clean" "-ffdx"
$'\''git'\'' "reset" "--hard"
$'\''git'\'' "remote" "set-url" "origin" "https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@example.com/gitlab-examples/ci-debug-trace.git"
$'\''git'\'' "fetch" "origin" "--prune" "+refs/heads/*:refs/remotes/origin/*" "+refs/tags/*:refs/tags/lds"
++ CI_BUILDS_DIR=/builds
++ export CI_PROJECT_DIR=/builds/gitlab-examples/ci-debug-trace
++ CI_PROJECT_DIR=/builds/gitlab-examples/ci-debug-trace
++ export CI_CONCURRENT_ID=87
++ CI_CONCURRENT_ID=87
++ export CI_CONCURRENT_PROJECT_ID=0
++ CI_CONCURRENT_PROJECT_ID=0
++ export CI_SERVER=yes
++ CI_SERVER=yes
++ mkdir -p /builds/gitlab-examples/ci-debug-trace.tmp
++ echo -n '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----'
++ export CI_SERVER_TLS_CA_FILE=/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE
++ CI_SERVER_TLS_CA_FILE=/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE
++ export CI_PIPELINE_ID=52666
++ CI_PIPELINE_ID=52666
++ export CI_PIPELINE_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/pipelines/52666
++ CI_PIPELINE_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/pipelines/52666
++ export CI_JOB_ID=7046507
++ CI_JOB_ID=7046507
++ export CI_JOB_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655
++ CI_JOB_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655
++ export CI_JOB_TOKEN=[MASKED]
++ CI_JOB_TOKEN=[MASKED]
++ export CI_REGISTRY_USER=gitlab-ci-token
++ CI_REGISTRY_USER=gitlab-ci-token
++ export CI_REGISTRY_PASSWORD=[MASKED]
++ CI_REGISTRY_PASSWORD=[MASKED]
++ export CI_REPOSITORY_URL=https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git
++ CI_REPOSITORY_URL=https://gitlab-ci-token:[MASKED]@gitlab.com/gitlab-examples/ci-debug-trace.git
++ export CI_JOB_NAME=debug_trace
++ CI_JOB_NAME=debug_trace
++ export CI_JOB_STAGE=test
++ CI_JOB_STAGE=test
++ export CI_NODE_TOTAL=1
++ CI_NODE_TOTAL=1
++ export CI=true
++ CI=true
++ export GITLAB_CI=true
++ GITLAB_CI=true
++ export CI_SERVER_URL=https://gitlab.com:3000
++ CI_SERVER_URL=https://gitlab.com:3000
++ export CI_SERVER_HOST=gitlab.com
++ CI_SERVER_HOST=gitlab.com
++ export CI_SERVER_PORT=3000
++ CI_SERVER_PORT=3000
++ export CI_SERVER_SHELL_SSH_HOST=gitlab.com
++ CI_SERVER_SHELL_SSH_HOST=gitlab.com
++ export CI_SERVER_SHELL_SSH_PORT=22
++ CI_SERVER_SHELL_SSH_PORT=22
++ export CI_SERVER_PROTOCOL=https
++ CI_SERVER_PROTOCOL=https
++ export CI_SERVER_NAME=GitLab
++ CI_SERVER_NAME=GitLab
++ export GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,wip_limits,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal
++ GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,wip_limits,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,cluster_health,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal
++ export CI_PROJECT_ID=17893
++ CI_PROJECT_ID=17893
++ export CI_PROJECT_NAME=ci-debug-trace
++ CI_PROJECT_NAME=ci-debug-trace
...
```
### Access to debug logging
Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#cicd). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
- The [`.gitlab-ci.yml` file](_index.md#define-a-cicd-variable-in-the-gitlab-ciyml-file).
- The CI/CD variables set in the GitLab UI.
{{< alert type="warning" >}}
If you add `CI_DEBUG_TRACE` as a local variable to runners, debug logs generate and are visible
to all users with access to job logs. The permission levels are not checked by the runner,
so you should only use the variable in GitLab itself.
{{< /alert >}}
## "argument list too long"
This issue occurs when the combined length of all CI/CD variables defined for a job exceeds the limit imposed by the
shell where the job executes. This includes the names and values of pre-defined and user defined variables. This limit
is typically referred to as `ARG_MAX`, and is shell and operating system dependent. This issue also occurs when the
content of a single [File-type](_index.md#use-file-type-cicd-variables) variable exceeds `ARG_MAX`.
For more information, see [issue 392406](https://gitlab.com/gitlab-org/gitlab/-/issues/392406#note_1414219596).
As a workaround you can either:
- Use [File-type](_index.md#use-file-type-cicd-variables) CI/CD variables for large environment variables where possible.
- If a single large variable is larger than `ARG_MAX`, try using [Secure Files](../secure_files/_index.md), or
bring the file to the job through some other mechanism.
## `Insufficient permissions to set pipeline variables` error for a downstream pipeline
When triggering a downstream pipeline, you might get this error unexpectedly:
```plaintext
Failed - (downstream pipeline can not be created, Insufficient permissions to set pipeline variables)
```
This error occurs when a downstream project has [restricted pipeline variables](_index.md#restrict-pipeline-variables) and the trigger job either:
- Has variables defined. For example:
```yaml
trigger-job:
variables:
VAR_FOR_DOWNSTREAM: "test"
trigger: my-group/my-project
```
- Receives variables from [default variables](../yaml/_index.md#default-variables) defined in a top-level `variables` section. For example:
```yaml
variables:
DEFAULT_VAR: "test"
trigger-job:
trigger: my-group/my-project
```
Variables passed to a downstream pipeline in a trigger job are [pipeline variables](_index.md#use-pipeline-variables),
so the workaround is to either:
- Remove the `variables` defined in the trigger job to avoid passing variables.
- [Prevent default variables from being passed to the downstream pipeline](../pipelines/downstream_pipelines.md#prevent-default-variables-from-being-passed).
## Default variable doesn't expand in job variable of the same name
You cannot use a default variable's value in a job variable of the same name. A default variable
is only made available to a job when the job does not have a variable defined with the same name.
If the job has a variable with the same name, the job's variable takes precedence
and the default variable is not available in the job.
For example, these two samples are equivalent:
- In this sample, `$MY_VAR` has no value because it's not defined anywhere:
```yaml
Job-with-variable:
variables:
MY_VAR: $MY_VAR
script: echo "Value is '$MY_VAR'"
```
- In this sample, `$MY_VAR` has no value because the default variable with the same name
is not available in the job:
```yaml
variables:
MY_VAR: "Default value"
Job-with-same-name-variable:
variables:
MY_VAR: $MY_VAR
script: echo "Value is '$MY_VAR'"
```
In both cases, the echo command outputs `Value is '$MY_VAR'`.
In general, you should use the default variable directly in a job rather than reassigning its value to a new variable.
If you need to do this, use variables with different names instead. For example:
```yaml
variables:
MY_VAR1: "Default value1"
MY_VAR2: "Default value2"
overwrite-same-name:
variables:
MY_VAR2_FROM_DEFAULTS: $MY_VAR2
script: echo "Values are '$MY_VAR1' and '$MY_VAR2_FROM_DEFAULTS'"
```

130
doc/ci/yaml/script.md
View File

@ -269,133 +269,3 @@ job:
- Write-Host $TXT_RED"This text is red,"$TXT_CLEAR" but this text isn't"$TXT_RED" however this text is red again."
- Write-Host "This text is not colored"
```
## Troubleshooting
### `Syntax is incorrect` in scripts that use `:`
If you use a colon (`:`) in a script, GitLab might output:
- `Syntax is incorrect`
- `script config should be a string or a nested array of strings up to 10 levels deep`
For example, if you use `"PRIVATE-TOKEN: ${PRIVATE_TOKEN}"` as part of a cURL command:
```yaml
pages-job:
stage: deploy
script:
- curl --header 'PRIVATE-TOKEN: ${PRIVATE_TOKEN}' "https://gitlab.example.com/api/v4/projects"
environment: production
```
The YAML parser thinks the `:` defines a YAML keyword, and outputs the
`Syntax is incorrect` error.
To use commands that contain a colon, you should wrap the whole command
in single quotes. You might need to change existing single quotes (`'`) into double quotes (`"`):
```yaml
pages-job:
stage: deploy
script:
- 'curl --header "PRIVATE-TOKEN: ${PRIVATE_TOKEN}" "https://gitlab.example.com/api/v4/projects"'
environment: production
```
### Job does not fail when using `&&` in a script
If you use `&&` to combine two commands together in a single script line, the job
might return as successful, even if one of the commands failed. For example:
```yaml
job-does-not-fail:
script:
- invalid-command xyz && invalid-command abc
- echo $?
- echo "The job should have failed already, but this is executed unexpectedly."
```
The `&&` operator returns an exit code of `0` even though the two commands failed,
and the job continues to run. To force the script to exit when either command fails,
enclose the entire line in parentheses:
```yaml
job-fails:
script:
- (invalid-command xyz && invalid-command abc)
- echo "The job failed already, and this is not executed."
```
### Multiline commands not preserved by folded YAML multiline block scalar
If you use the `- >` folded YAML multiline block scalar to split long commands,
additional indentation causes the lines to be processed as individual commands.
For example:
```yaml
script:
- >
RESULT=$(curl --silent
--header
"Authorization: Bearer $CI_JOB_TOKEN"
"${CI_API_V4_URL}/job"
)
```
This fails as the indentation causes the line breaks to be preserved:
```plaintext
$ RESULT=$(curl --silent # collapsed multi-line command
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
/bin/bash: line 149: --header: command not found
/bin/bash: line 150: https://gitlab.example.com/api/v4/job: No such file or directory
```
Resolve this by either:
- Removing the extra indentation:
```yaml
script:
- >
RESULT=$(curl --silent
--header
"Authorization: Bearer $CI_JOB_TOKEN"
"${CI_API_V4_URL}/job"
)
```
- Modifying the script so the extra line breaks are handled, for example using shell line continuation:
```yaml
script:
- >
RESULT=$(curl --silent \
--header \
"Authorization: Bearer $CI_JOB_TOKEN" \
"${CI_API_V4_URL}/job")
```
### Job log output is not formatted as expected or contains unexpected characters
Sometimes the formatting in the job log displays incorrectly with tools that rely
on the `TERM` environment variable for coloring or formatting. For example, with the `mypy` command:
![Example output](img/incorrect_log_rendering_v16_5.png)
GitLab Runner runs the container's shell in non-interactive mode, so the shell's `TERM`
environment variable is set to `dumb`. To fix the formatting for these tools, you can:
- Add an additional script line to set `TERM=ansi` in the shell's environment before running the command.
- Add a `TERM` [CI/CD variable](../variables/_index.md) with a value of `ansi`.
### `after_script` section execution stops early and incorrect `$CI_JOB_STATUS` values
In GitLab Runner 16.9.0 to 16.11.0:
- The `after_script` section execution sometimes stops too early.
- The status of the `$CI_JOB_STATUS` predefined variable is
[incorrectly set as `failed` while the job is canceling](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37485).

134
doc/ci/yaml/script_troubleshooting.md Normal file
View File

@ -0,0 +1,134 @@
---
stage: Verify
group: Pipeline Authoring
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
title: Troubleshooting scripts and job logs
---
## `Syntax is incorrect` in scripts that use `:`
If you use a colon (`:`) in a script, GitLab might output:
- `Syntax is incorrect`
- `script config should be a string or a nested array of strings up to 10 levels deep`
For example, if you use `"PRIVATE-TOKEN: ${PRIVATE_TOKEN}"` as part of a cURL command:
```yaml
pages-job:
stage: deploy
script:
- curl --header 'PRIVATE-TOKEN: ${PRIVATE_TOKEN}' "https://gitlab.example.com/api/v4/projects"
environment: production
```
The YAML parser thinks the `:` defines a YAML keyword, and outputs the
`Syntax is incorrect` error.
To use commands that contain a colon, you should wrap the whole command
in single quotes. You might need to change existing single quotes (`'`) into double quotes (`"`):
```yaml
pages-job:
stage: deploy
script:
- 'curl --header "PRIVATE-TOKEN: ${PRIVATE_TOKEN}" "https://gitlab.example.com/api/v4/projects"'
environment: production
```
## Job does not fail when using `&&` in a script
If you use `&&` to combine two commands together in a single script line, the job
might return as successful, even if one of the commands failed. For example:
```yaml
job-does-not-fail:
script:
- invalid-command xyz && invalid-command abc
- echo $?
- echo "The job should have failed already, but this is executed unexpectedly."
```
The `&&` operator returns an exit code of `0` even though the two commands failed,
and the job continues to run. To force the script to exit when either command fails,
enclose the entire line in parentheses:
```yaml
job-fails:
script:
- (invalid-command xyz && invalid-command abc)
- echo "The job failed already, and this is not executed."
```
## Multiline commands not preserved by folded YAML multiline block scalar
If you use the `- >` folded YAML multiline block scalar to split long commands,
additional indentation causes the lines to be processed as individual commands.
For example:
```yaml
script:
- >
RESULT=$(curl --silent
--header
"Authorization: Bearer $CI_JOB_TOKEN"
"${CI_API_V4_URL}/job"
)
```
This fails as the indentation causes the line breaks to be preserved:
```plaintext
$ RESULT=$(curl --silent # collapsed multi-line command
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
/bin/bash: line 149: --header: command not found
/bin/bash: line 150: https://gitlab.example.com/api/v4/job: No such file or directory
```
Resolve this by either:
- Removing the extra indentation:
```yaml
script:
- >
RESULT=$(curl --silent
--header
"Authorization: Bearer $CI_JOB_TOKEN"
"${CI_API_V4_URL}/job"
)
```
- Modifying the script so the extra line breaks are handled, for example using shell line continuation:
```yaml
script:
- >
RESULT=$(curl --silent \
--header \
"Authorization: Bearer $CI_JOB_TOKEN" \
"${CI_API_V4_URL}/job")
```
## Job log output is not formatted as expected or contains unexpected characters
Sometimes the formatting in the job log displays incorrectly with tools that rely
on the `TERM` environment variable for coloring or formatting. For example, with the `mypy` command:
![Example output](img/incorrect_log_rendering_v16_5.png)
GitLab Runner runs the container's shell in non-interactive mode, so the shell's `TERM`
environment variable is set to `dumb`. To fix the formatting for these tools, you can:
- Add an additional script line to set `TERM=ansi` in the shell's environment before running the command.
- Add a `TERM` [CI/CD variable](../variables/_index.md) with a value of `ansi`.
## `after_script` section execution stops early and incorrect `$CI_JOB_STATUS` values
In GitLab Runner 16.9.0 to 16.11.0:
- The `after_script` section execution sometimes stops too early.
- The status of the `$CI_JOB_STATUS` predefined variable is
[incorrectly set as `failed` while the job is canceling](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37485).

4
doc/development/secure_coding_guidelines.md
View File

@ -1719,7 +1719,7 @@ This sensitive data must be handled carefully to avoid leaks which could lead to
- Never commit credentials to repositories.
- The [Gitleaks Git hook](https://gitlab.com/gitlab-com/gl-security/security-research/gitleaks-endpoint-installer) is recommended for preventing credentials from being committed.
- Never log credentials under any circumstance. Issue [#353857](https://gitlab.com/gitlab-org/gitlab/-/issues/353857) is an example of credential leaks through log file.
- When credentials are required in a CI/CD job, use [masked variables](../ci/variables/_index.md#mask-a-cicd-variable) to help prevent accidental exposure in the job logs. Be aware that when [debug logging](../ci/variables/_index.md#enable-debug-logging) is enabled, all masked CI/CD variables are visible in job logs. Also consider using [protected variables](../ci/variables/_index.md#protect-a-cicd-variable) when possible so that sensitive CI/CD variables are only available to pipelines running on protected branches or protected tags.
- When credentials are required in a CI/CD job, use [masked variables](../ci/variables/_index.md#mask-a-cicd-variable) to help prevent accidental exposure in the job logs. Be aware that when [debug logging](../ci/variables/variables_troubleshooting.md#enable-debug-logging) is enabled, all masked CI/CD variables are visible in job logs. Also consider using [protected variables](../ci/variables/_index.md#protect-a-cicd-variable) when possible so that sensitive CI/CD variables are only available to pipelines running on protected branches or protected tags.
- Proper scanners must be enabled depending on what data those credentials are protecting. See the [Application Security Inventory Policy](https://handbook.gitlab.com/handbook/security/product-security/application-security/inventory/#policies) and our [Data Classification Standards](https://handbook.gitlab.com/handbook/security/data-classification-standard/#standard).
- To store and/or share credentials between teams, refer to [1Password for Teams](https://handbook.gitlab.com/handbook/security/password-guidelines/#1password-for-teams) and follow [the 1Password Guidelines](https://handbook.gitlab.com/handbook/security/password-guidelines/#1password-guidelines).
- If you need to share a secret with a team member, use 1Password. Do not share a secret over email, Slack, or other service on the Internet.
@ -1965,7 +1965,7 @@ Logging helps track events for debugging. Logging also allows the application to
- Personal data, except for integer-based identifiers and UUIDs, or IP address, which can be logged when necessary.
- Credentials like access tokens or passwords. If credentials must be captured for debugging purposes, log the internal ID of the credential (if available) instead. Never log credentials under any circumstances.
- When [debug logging](../ci/variables/_index.md#enable-debug-logging) is enabled, all masked CI/CD variables are visible in job logs. Consider using [protected variables](../ci/variables/_index.md#protect-a-cicd-variable) when possible so that sensitive CI/CD variables are only available to pipelines running on protected branches or protected tags.
- When [debug logging](../ci/variables/variables_troubleshooting.md#enable-debug-logging) is enabled, all masked CI/CD variables are visible in job logs. Consider using [protected variables](../ci/variables/_index.md#protect-a-cicd-variable) when possible so that sensitive CI/CD variables are only available to pipelines running on protected branches or protected tags.
- Any data supplied by the user without proper validation.
- Any information that might be considered sensitive (for example, credentials, passwords, tokens, keys, or secrets). Here is an [example](https://gitlab.com/gitlab-org/gitlab/-/issues/383142) of sensitive information being leaked through logs.

3
doc/integration/advanced_search/elasticsearch.md
View File

@ -87,12 +87,11 @@ Advanced search follows the [Elasticsearch end-of-life policy](https://www.elast
| GitLab version | OpenSearch version |
|-------------------------|--------------------------------|
| GitLab 18.1 and later | OpenSearch 1.x and later |
| GitLab 17.6.3 and later | OpenSearch 1.x and 2.x |
| GitLab 15.5.3 to 17.6.2 | OpenSearch 1.x, 2.0 to 2.17 |
| GitLab 15.0 to 15.5.2 | OpenSearch 1.x |
OpenSearch 3.0 is not supported, see [issue 540086](https://gitlab.com/gitlab-org/gitlab/-/issues/540086).
If your version of Elasticsearch or OpenSearch is incompatible, to prevent data loss, indexing pauses and
a message is logged in the
[`elasticsearch.log`](../../administration/logs/_index.md#elasticsearchlog) file.

1
doc/integration/salesforce.md
View File

@ -2,6 +2,7 @@
stage: Software Supply Chain Security
group: Authentication
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
gitlab_dedicated: no
title: Use Salesforce as an OAuth 2.0 authentication provider
---

1
doc/tutorials/manage_user/_index.md
View File

@ -393,6 +393,7 @@ add different users to that project.
checkbox.
- To analyze the source code in the project for known security vulnerabilities,
select the **Enable Static Application Security Testing (SAST)** checkbox.
- To analyze the source code for secrets and credentials to prevent unauthorized access select the **Enable Secret Detection** checkbox.
1. Select **Create project**.
You have now created a project in the parent group.

2
doc/user/gitlab_duo_chat/agentic_chat.md
View File

@ -42,7 +42,7 @@ Agentic Chat is only available in the
Prerequisites:
- A GitLab Duo Pro or Enterprise add-on.
- A GitLab Duo Core, Pro, or Enterprise add-on.
- A Premium or Ultimate subscription.
- You have an assigned seat for or access to GitLab Duo Chat.
- You have [installed and configured the GitLab Workflow extension for VS Code](../../editor_extensions/visual_studio_code/setup.md) version 6.15.1 or later.

2
doc/user/permissions.md
View File

@ -326,7 +326,7 @@ Project Owners can perform any listed action, and can delete pipelines:
| View [agents for Kubernetes](clusters/agent/_index.md) | | | | | ✓ | ✓ | |
| View project [Secure Files](../api/secure_files.md) | | | | | ✓ | ✓ | |
| Download project [Secure Files](../api/secure_files.md) | | | | | ✓ | ✓ | |
| View a job with [debug logging](../ci/variables/_index.md#enable-debug-logging) | | | | | ✓ | ✓ | |
| View a job with [debug logging](../ci/variables/variables_troubleshooting.md#enable-debug-logging) | | | | | ✓ | ✓ | |
| Create [environments](../ci/environments/_index.md) | | | | | ✓ | ✓ | |
| Delete [environments](../ci/environments/_index.md) | | | | | ✓ | ✓ | |
| Stop [environments](../ci/environments/_index.md) | | | | | ✓ | ✓ | |

2
doc/user/project/_index.md
View File

@ -34,6 +34,8 @@ To create a blank project:
create a default branch, and enable cloning of this project's repository.
1. **Enable Static Application Security Testing (SAST)**: Select this option to analyze the
source code for known security vulnerabilities.
1. **Enable Secret Detection**: Select this option to analyze the
source code for secrets and credentials to prevent unauthorized access.
1. Select **Create project**.
## Create a project from a built-in template

2
gems/gitlab-active-context/lib/active_context/databases/opensearch/executor.rb
View File

@ -17,7 +17,7 @@ module ActiveContext
dimension: field.options[:dimensions],
method: {
name: 'hnsw',
engine: 'nmslib',
engine: 'lucene',
space_type: 'cosinesimil',
parameters: {
ef_construction: EF_CONSTRUCTION,

9
lib/gitlab/sidekiq_middleware/concurrency_limit/middleware.rb
View File

@ -67,25 +67,16 @@ module Gitlab
def track_execution_start
return if Feature.disabled?(:sidekiq_concurrency_limit_middleware, Feature.current_request, type: :ops)
return unless track_execution?
concurrency_service.track_execution_start(worker_class)
end
def track_execution_end
return if Feature.disabled?(:sidekiq_concurrency_limit_middleware, Feature.current_request, type: :ops)
return unless track_execution?
concurrency_service.track_execution_end(worker_class)
end
def track_execution?
return true if Feature.enabled?(:track_sidekiq_concurrency_limit_execution, Feature.current_request)
return false unless worker_limit > 0
true
end
def worker_limit
@worker_limit ||= ::Gitlab::SidekiqMiddleware::ConcurrencyLimit::WorkersMap.limit_for(worker: worker)
end

69
lib/security/ci_configuration/secret_detection_build_action.rb
View File

@ -3,11 +3,65 @@
module Security
module CiConfiguration
class SecretDetectionBuildAction < BaseBuildAction
def initialize(
auto_devops_enabled, params, existing_gitlab_ci_content,
ci_config_path = ::Ci::Pipeline::DEFAULT_CONFIG_PATH)
super(auto_devops_enabled, existing_gitlab_ci_content, ci_config_path)
@params = params || {}
@variables = @params[:initialize_with_secret_detection] ? { 'SECRET_DETECTION_ENABLED' => 'true' } : {}
@default_values_overwritten = false
end
private
def update_existing_content!
add_stages!([Security::CiConfiguration::DEFAULT_TEST_STAGE]) unless @auto_devops_enabled
@existing_gitlab_ci_content['stages'] = set_stages
@existing_gitlab_ci_content['variables'] = set_variables(global_variables, @existing_gitlab_ci_content)
@existing_gitlab_ci_content['secret_detection'] = set_secret_detection_block
@existing_gitlab_ci_content['include'] = generate_includes
# Remove any empty sections to keep the config clean
@existing_gitlab_ci_content.select! { |_k, v| v.present? }
@existing_gitlab_ci_content['secret_detection']&.select! { |_k, v| v.present? }
end
def set_stages
existing_stages = @existing_gitlab_ci_content['stages'] || []
base_stages = @auto_devops_enabled ? auto_devops_stages : ['test']
(existing_stages + base_stages + [secret_detection_stage]).uniq
end
def auto_devops_stages
auto_devops_template = YAML.safe_load(Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps').content)
auto_devops_template['stages']
rescue StandardError => e
Gitlab::AppLogger.error("Failed to process Auto-DevOps template: #{e.message}")
%w[build test deploy]
end
def set_variables(variables, hash_to_update = {})
hash_to_update['variables'] ||= {}
variables.each do |key|
if @variables[key].present?
hash_to_update['variables'][key] = @variables[key]
@default_values_overwritten = true
end
end
hash_to_update['variables']
end
def set_secret_detection_block
secret_detection_content = @existing_gitlab_ci_content['secret_detection'] || {}
secret_detection_content['variables'] = set_variables(secret_detection_variables)
secret_detection_content['stage'] = secret_detection_stage
secret_detection_content.select { |_k, v| v.present? }
end
def secret_detection_stage
'secret-detection'
end
def template
@ -15,6 +69,21 @@ module Security
'Security/Secret-Detection.gitlab-ci.yml'
end
def global_variables
%w[
SECRET_DETECTION_ENABLED
SECURE_ANALYZERS_PREFIX
]
end
def secret_detection_variables
%w[
SECRET_DETECTION_HISTORIC_SCAN
SECRET_DETECTION_IMAGE_SUFFIX
SECRET_DETECTION_EXCLUDED_PATHS
]
end
end
end
end

9
locale/gitlab.pot
View File

@ -16863,6 +16863,9 @@ msgstr ""
msgid "Configure SAST IaC in `.gitlab-ci.yml`, creating this file if it does not already exist"
msgstr ""
msgid "Configure SAST and Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist"
msgstr ""
msgid "Configure SAST in `.gitlab-ci.yml` using the GitLab managed template. You can [add variable overrides](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) to customize SAST settings."
msgstr ""
@ -48990,6 +48993,9 @@ msgstr ""
msgid "ProjectsNew|Direct transfer projects with a top-level Group"
msgstr ""
msgid "ProjectsNew|Enable Secret Detection"
msgstr ""
msgid "ProjectsNew|Enable Static Application Security Testing (SAST)"
msgstr ""
@ -49128,6 +49134,9 @@ msgstr ""
msgid "ProjectsNew|Run CI/CD for external repository"
msgstr ""
msgid "ProjectsNew|Scan your code for secrets and credentials to prevent unauthorized access."
msgstr ""
msgid "ProjectsNew|Select"
msgstr ""

2
qa/gems/gitlab-orchestrator/Gemfile
View File

@ -8,6 +8,6 @@ group :test do
gem "climate_control", "~> 1.2.0"
gem "gitlab-styles", "~> 13.1.0"
gem "pry", "~> 0.15.2"
gem "rspec", "~> 3.13"
gem "rspec", "~> 3.13", ">= 3.13.1"
gem "simplecov", "~> 0.22.0"
end

6
qa/gems/gitlab-orchestrator/Gemfile.lock
View File

@ -67,7 +67,7 @@ GEM
rainbow (3.1.1)
regexp_parser (2.10.0)
require_all (3.0.0)
rspec (3.13.0)
rspec (3.13.1)
rspec-core (~> 3.13.0)
rspec-expectations (~> 3.13.0)
rspec-mocks (~> 3.13.0)
@ -150,8 +150,8 @@ DEPENDENCIES
gitlab-orchestrator!
gitlab-styles (~> 13.1.0)
pry (~> 0.15.2)
rspec (~> 3.13)
rspec (~> 3.13, >= 3.13.1)
simplecov (~> 0.22.0)
BUNDLED WITH
2.6.2
2.6.5

60
rubocop/cop/gitlab/deprecated_audit_event_service.rb Normal file
View File

@ -0,0 +1,60 @@
# frozen_string_literal: true
module RuboCop
module Cop
module Gitlab
# Checks for usage of the deprecated AuditEventService
# and prevents new implementations from being added.
#
# @example
# # bad
# AuditEventService.new(...)
#
# # good
# Gitlab::Audit::Auditor.audit { ... }
#
class DeprecatedAuditEventService < RuboCop::Cop::Base
MSG = "AuditEventService is deprecated and new implementations are not allowed. " \
"Instead please use Gitlab::Audit::Auditor. See " \
"https://docs.gitlab.com/development/audit_event_guide/#how-to-instrument-new-audit-events"
# @!method audit_event_service_usage?(node)
def_node_matcher :audit_event_service_usage?, <<~PATTERN
{
(const nil? :AuditEventService)
(const (cbase) :AuditEventService)
}
PATTERN
# @!method audit_event_service_include?(node)
def_node_matcher :audit_event_service_include?, <<~PATTERN
(send nil? {:include :extend} #audit_event_service_usage?)
PATTERN
# @!method audit_event_service_new?(node)
def_node_matcher :audit_event_service_new?, <<~PATTERN
(call #audit_event_service_usage? :new ...)
PATTERN
def on_const(node)
return unless audit_event_service_usage?(node)
return if node.parent&.send_type? && [:include, :extend].include?(node.parent.method_name)
add_offense(node)
end
def on_send(node)
return unless audit_event_service_include?(node) || audit_event_service_new?(node)
add_offense(node)
end
def on_csend(node)
return unless audit_event_service_include?(node) || audit_event_service_new?(node)
add_offense(node)
end
end
end
end
end

12
scripts/remote_development/workspaces_kubernetes_setup.sh
View File

@ -76,7 +76,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_DOMAIN}" ]; then
)
if [ -z "${GITLAB_WORKSPACES_PROXY_DOMAIN}" ]; then
echo "Unable to fetch the value from existing helm release. Using default."
GITLAB_WORKSPACES_PROXY_DOMAIN="workspaces.localdev.me"
GITLAB_WORKSPACES_PROXY_DOMAIN="workspaces.localtest.me"
fi
fi
@ -88,7 +88,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" ]; then
)
if [ -z "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" ]; then
echo "Unable to fetch the value from existing helm release. Using default."
GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN="*.workspaces.localdev.me"
GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN="*.workspaces.localtest.me"
fi
fi
@ -113,7 +113,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_TLS_CERT_FILE}" ]; then
echo "GITLAB_WORKSPACES_PROXY_TLS_CERT_FILE is not explicitly set. Using default."
GITLAB_WORKSPACES_PROXY_TLS_CERT_FILE="${ROOT_DIR}/gitlab_workspaces_proxy_tls_cert"
if [ "${GITLAB_WORKSPACES_PROXY_DOMAIN}" != "workspaces.localdev.me" ]; then
if [ "${GITLAB_WORKSPACES_PROXY_DOMAIN}" != "workspaces.localtest.me" ]; then
echo "GITLAB_WORKSPACES_PROXY_DOMAIN is non-default. Trying to fetch the value from existing helm release"
kubectl get secret "${GITLAB_WORKSPACES_PROXY_TLS_SECRET}" \
--namespace="${GITLAB_WORKSPACES_PROXY_HELM_RELEASE_NAMESPACE}" \
@ -129,7 +129,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_TLS_KEY_FILE}" ]; then
echo "GITLAB_WORKSPACES_PROXY_TLS_KEY_FILE is not explicitly set. Using default."
GITLAB_WORKSPACES_PROXY_TLS_KEY_FILE="${ROOT_DIR}/gitlab_workspaces_proxy_tls_key"
if [ "${GITLAB_WORKSPACES_PROXY_DOMAIN}" != "workspaces.localdev.me" ]; then
if [ "${GITLAB_WORKSPACES_PROXY_DOMAIN}" != "workspaces.localtest.me" ]; then
echo "GITLAB_WORKSPACES_PROXY_DOMAIN is non-default. Trying to fetch the value from existing helm release"
kubectl get secret "${GITLAB_WORKSPACES_PROXY_TLS_SECRET}" \
--namespace="${GITLAB_WORKSPACES_PROXY_HELM_RELEASE_NAMESPACE}" \
@ -163,7 +163,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_CERT_FILE}" ]; then
echo "GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_CERT_FILE is not explicitly set. Using default."
GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_CERT_FILE="${ROOT_DIR}/gitlab_workspaces_proxy_wildcard_tls_cert"
if [ "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" != "*.workspaces.localdev.me" ]; then
if [ "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" != "*.workspaces.localtest.me" ]; then
echo "GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN is non-default. Trying to fetch the value from existing helm release"
kubectl get secret "${GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_SECRET}" \
--namespace="${GITLAB_WORKSPACES_PROXY_HELM_RELEASE_NAMESPACE}" \
@ -179,7 +179,7 @@ if [ -z "${GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_KEY_FILE}" ]; then
echo "GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_KEY_FILE is not explicitly set. Using default."
GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_KEY_FILE="${ROOT_DIR}/gitlab_workspaces_proxy_wildcard_tls_key"
if [ "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" != "*.workspaces.localdev.me" ]; then
if [ "${GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN}" != "*.workspaces.localtest.me" ]; then
echo "GITLAB_WORKSPACES_PROXY_WILDCARD_DOMAIN is non-default. Trying to fetch the value from existing helm release"
kubectl get secret "${GITLAB_WORKSPACES_PROXY_WILDCARD_TLS_SECRET}" \
--namespace="${GITLAB_WORKSPACES_PROXY_HELM_RELEASE_NAMESPACE}" \

31
spec/controllers/projects_controller_spec.rb
View File

@ -587,6 +587,37 @@ RSpec.describe ProjectsController, feature_category: :groups_and_projects do
end
end
end
context 'when security features are enabled' do
let(:params) do
{
name: 'New Project',
path: 'new-project',
description: 'New project description',
namespace_id: user.namespace.id,
initialize_with_sast: '1',
initialize_with_secret_detection: '1'
}
end
it 'calls appropriate create service methods' do
expect_next_instance_of(Projects::CreateService) do |service|
expect(service.instance_variable_get(:@initialize_with_sast)).to eq(true)
expect(service.instance_variable_get(:@initialize_with_secret_detection)).to eq(true)
end
subject
end
it 'creates a project with security features enabled' do
expect { subject }.to change { Project.count }.by(1)
project = Project.last
expect(project.name).to eq('New Project')
expect(project.path).to eq('new-project')
expect(response).to have_gitlab_http_status(:redirect)
end
end
end
describe 'GET edit' do

34
spec/frontend/super_sidebar/components/global_search/command_palette/__snapshots__/search_item_spec.js.snap
View File

@ -15,13 +15,19 @@ exports[`SearchItem should render the item 1`] = `
src="https://www.gravatar.com/avatar/a9638f4ec70148d51e56bf05ad41e993?s=80&d=identicon"
/>
<span
class="gl-flex gl-flex-col gl-min-w-0 gl-w-full"
class="gl-flex gl-gap-2 gl-items-center gl-min-w-0"
>
<span
class="gl-text-strong gl-truncate"
>
Cole Dickinson
</span>
<span
aria-hidden="true"
class="gl-text-subtle"
>
·
</span>
</span>
</div>
`;
@ -37,13 +43,19 @@ exports[`SearchItem should render the item 2`] = `
variant="current"
/>
<span
class="gl-flex gl-flex-col gl-min-w-0 gl-w-full"
class="gl-flex gl-gap-2 gl-items-center gl-min-w-0"
>
<span
class="gl-text-strong gl-truncate"
>
Manage &gt; Activity
</span>
<span
aria-hidden="true"
class="gl-text-subtle"
>
·
</span>
</span>
</div>
`;
@ -59,17 +71,23 @@ exports[`SearchItem should render the item 3`] = `
entityid="1"
entityname="MockProject1"
shape="rect"
size="32"
size="16"
src="/project/avatar/1/avatar.png"
/>
<span
class="gl-flex gl-flex-col gl-min-w-0 gl-w-full"
class="gl-flex gl-gap-2 gl-items-center gl-min-w-0"
>
<span
class="gl-text-strong gl-truncate"
>
MockProject1
</span>
<span
aria-hidden="true"
class="gl-text-subtle"
>
·
</span>
<span
class="gl-text-sm gl-text-subtle gl-truncate"
>
@ -94,13 +112,19 @@ exports[`SearchItem should render the item 4`] = `
src=""
/>
<span
class="gl-flex gl-flex-col gl-min-w-0 gl-w-full"
class="gl-flex gl-gap-2 gl-items-center gl-min-w-0"
>
<span
class="gl-text-strong gl-truncate"
>
Dismiss Cipher with no integrity
</span>
<span
aria-hidden="true"
class="gl-text-subtle"
>
·
</span>
</span>
</div>
`;

2
spec/frontend/super_sidebar/components/global_search/components/frequent_item_spec.js
View File

@ -41,7 +41,7 @@ describe('FrequentlyVisitedItem', () => {
projectId: mockItem.id,
projectName: mockItem.title,
projectAvatarUrl: mockItem.avatar,
size: 32,
size: 16,
});
});

32
spec/lib/gitlab/sidekiq_middleware/concurrency_limit/server_spec.rb
View File

@ -165,14 +165,6 @@ RSpec.describe Gitlab::SidekiqMiddleware::ConcurrencyLimit::Server, feature_cate
TestConcurrencyLimitWorker.perform_async('foo')
end
context 'when track_sidekiq_concurrency_limit_execution feature flag is disabled' do
before do
stub_feature_flags(track_sidekiq_concurrency_limit_execution: false)
end
it_behaves_like 'track execution'
end
it_behaves_like 'track execution'
context 'when limit is set to zero' do
@ -180,14 +172,6 @@ RSpec.describe Gitlab::SidekiqMiddleware::ConcurrencyLimit::Server, feature_cate
allow(::Gitlab::SidekiqMiddleware::ConcurrencyLimit::WorkersMap).to receive(:limit_for).and_return(0)
end
context 'when track_sidekiq_concurrency_limit_execution feature flag is disabled' do
before do
stub_feature_flags(track_sidekiq_concurrency_limit_execution: false)
end
it_behaves_like 'skip execution tracking'
end
it_behaves_like 'track execution'
end
@ -196,14 +180,6 @@ RSpec.describe Gitlab::SidekiqMiddleware::ConcurrencyLimit::Server, feature_cate
::Gitlab::SidekiqMiddleware::ConcurrencyLimit::WorkersMap.remove_instance_variable(:@data)
end
context 'when track_sidekiq_concurrency_limit_execution feature flag is disabled' do
before do
stub_feature_flags(track_sidekiq_concurrency_limit_execution: false)
end
it_behaves_like 'skip execution tracking'
end
it_behaves_like 'track execution'
end
end
@ -232,14 +208,6 @@ RSpec.describe Gitlab::SidekiqMiddleware::ConcurrencyLimit::Server, feature_cate
worker_klass.perform_async('foo')
end
context 'when track_sidekiq_concurrency_limit_execution feature flag is disabled' do
before do
stub_feature_flags(track_sidekiq_concurrency_limit_execution: false)
end
it_behaves_like 'skip execution tracking'
end
it_behaves_like 'track execution'
end
end

69
spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb
View File

@ -3,7 +3,7 @@
require 'spec_helper'
RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_category: :secret_detection do
subject(:result) { described_class.new(auto_devops_enabled, gitlab_ci_content).generate }
subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
let(:params) { {} }
@ -23,11 +23,14 @@ RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_ca
stages:
- test
- security
- secret-detection
variables:
RANDOM: make sure this persists
include:
- template: existing.yml
- template: Security/Secret-Detection.gitlab-ci.yml
secret_detection:
stage: secret-detection
CI_YML
end
@ -70,10 +73,13 @@ RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_ca
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
- test
- secret-detection
variables:
RANDOM: make sure this persists
include:
- template: Security/Secret-Detection.gitlab-ci.yml
secret_detection:
stage: secret-detection
CI_YML
end
@ -121,6 +127,9 @@ RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_ca
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
- test
- secret-detection
secret_detection:
stage: secret-detection
include:
- template: Security/Secret-Detection.gitlab-ci.yml
CI_YML
@ -143,6 +152,24 @@ RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_ca
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
- build
- test
- deploy
- review
- dast
- staging
- canary
- production
- incremental rollout 10%
- incremental rollout 25%
- incremental rollout 50%
- incremental rollout 100%
- performance
- cleanup
- secret-detection
secret_detection:
stage: secret-detection
include:
- template: Auto-DevOps.gitlab-ci.yml
CI_YML
@ -161,9 +188,49 @@ RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction, feature_ca
end
end
context 'with initialize_with_secret_detection param' do
let(:auto_devops_enabled) { false }
let(:gitlab_ci_content) { nil }
let(:params) { { initialize_with_secret_detection: true } }
it 'sets SECRET_DETECTION_ENABLED to true' do
expect(result[:default_values_overwritten]).to be_truthy
end
end
describe 'when sast_also_enabled is true' do
let(:auto_devops_enabled) { false }
let(:gitlab_ci_content) { nil }
let(:params) { { sast_also_enabled: true } }
it 'maintains the same behavior for secret detection' do
expect(result[:action]).to eq('create')
expect(result[:content]).to include('Security/Secret-Detection.gitlab-ci.yml')
end
end
# stubbing this method allows this spec file to use fast_spec_helper
def fast_auto_devops_stages
auto_devops_template = YAML.safe_load(File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml'))
auto_devops_template['stages']
end
context 'when Auto-DevOps template cannot be processed' do
let(:auto_devops_enabled) { true }
let(:gitlab_ci_content) { nil }
let(:build_action) { described_class.new(auto_devops_enabled, params, gitlab_ci_content) }
before do
allow(Gitlab::Template::GitlabCiYmlTemplate).to receive(:find)
.with('Auto-DevOps')
.and_raise(StandardError.new("Template processing error"))
end
it 'logs the error and returns default stages' do
expect(Gitlab::AppLogger).to receive(:error)
.with("Failed to process Auto-DevOps template: Template processing error")
expect(build_action.send(:auto_devops_stages)).to eq(%w[build test deploy])
end
end
end

22
spec/models/ci/job_artifact_spec.rb
View File

@ -668,6 +668,28 @@ RSpec.describe Ci::JobArtifact, feature_category: :job_artifacts do
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
ci_job_artifact = create(:ci_job_artifact)
if ci_job_artifact.file_store == ObjectStorage::Store::REMOTE
ci_job_artifact.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
ci_job_artifact
end
let(:remotely_stored) do
ci_job_artifact = create(:ci_job_artifact)
if ci_job_artifact.file_store == ObjectStorage::Store::LOCAL
ci_job_artifact.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
ci_job_artifact
end
end
describe '.file_types' do
context 'all file types have corresponding limit' do
let_it_be(:plan_limits) { create(:plan_limits) }

22
spec/models/ci/pipeline_artifact_spec.rb
View File

@ -100,6 +100,28 @@ RSpec.describe Ci::PipelineArtifact, type: :model, feature_category: :job_artifa
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
ci_pipeline_artifact = create(:ci_pipeline_artifact)
if ci_pipeline_artifact.file_store == ObjectStorage::Store::REMOTE
ci_pipeline_artifact.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
ci_pipeline_artifact
end
let(:remotely_stored) do
ci_pipeline_artifact = create(:ci_pipeline_artifact)
if ci_pipeline_artifact.file_store == ObjectStorage::Store::LOCAL
ci_pipeline_artifact.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
ci_pipeline_artifact
end
end
describe '.report_exists?' do
subject(:pipeline_artifact) { described_class.report_exists?(file_type) }

22
spec/models/ci/secure_file_spec.rb
View File

@ -219,4 +219,26 @@ RSpec.describe Ci::SecureFile, factory_default: :keep, feature_category: :mobile
expect(secure_file.local?).to be false
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
ci_secure_file = create(:ci_secure_file)
if ci_secure_file.file_store == ObjectStorage::Store::REMOTE
ci_secure_file.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
ci_secure_file
end
let(:remotely_stored) do
ci_secure_file = create(:ci_secure_file)
if ci_secure_file.file_store == ObjectStorage::Store::LOCAL
ci_secure_file.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
ci_secure_file
end
end
end

18
spec/models/concerns/ci/artifactable_spec.rb
View File

@ -97,24 +97,6 @@ RSpec.describe Ci::Artifactable do
end
end
describe '.with_files_stored_locally' do
it 'returns artifacts stored locally' do
expect(Ci::JobArtifact.with_files_stored_locally).to contain_exactly(recently_expired_artifact, later_expired_artifact, not_expired_artifact)
end
end
describe '.with_files_stored_remotely' do
let(:remote_artifact) { create(:ci_job_artifact, :remote_store) }
before do
stub_artifacts_object_storage
end
it 'returns artifacts stored remotely' do
expect(Ci::JobArtifact.with_files_stored_remotely).to contain_exactly(remote_artifact)
end
end
describe '.project_id_in' do
context 'when artifacts belongs to projects' do
let(:project_ids) { [recently_expired_artifact.project.id, not_expired_artifact.project.id, non_existing_record_id] }

22
spec/models/dependency_proxy/blob_spec.rb
View File

@ -59,4 +59,26 @@ RSpec.describe DependencyProxy::Blob, type: :model, feature_category: :dependenc
it_behaves_like 'mounted file in object store'
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
dependency_proxy_blob = create(:dependency_proxy_blob)
if dependency_proxy_blob.file_store == ObjectStorage::Store::REMOTE
dependency_proxy_blob.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
dependency_proxy_blob
end
let(:remotely_stored) do
dependency_proxy_blob = create(:dependency_proxy_blob)
if dependency_proxy_blob.file_store == ObjectStorage::Store::LOCAL
dependency_proxy_blob.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
dependency_proxy_blob
end
end
end

22
spec/models/dependency_proxy/manifest_spec.rb
View File

@ -47,6 +47,28 @@ RSpec.describe DependencyProxy::Manifest, type: :model, feature_category: :depen
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
dependency_proxy_manifest = create(:dependency_proxy_manifest)
if dependency_proxy_manifest.file_store == ObjectStorage::Store::REMOTE
dependency_proxy_manifest.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
dependency_proxy_manifest
end
let(:remotely_stored) do
dependency_proxy_manifest = create(:dependency_proxy_manifest)
if dependency_proxy_manifest.file_store == ObjectStorage::Store::LOCAL
dependency_proxy_manifest.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
dependency_proxy_manifest
end
end
describe '.find_by_file_name_or_digest' do
let_it_be(:file_name) { 'foo' }
let_it_be(:digest) { 'bar' }

6
spec/models/fork_network_spec.rb
View File

@ -7,6 +7,7 @@ RSpec.describe ForkNetwork, feature_category: :source_code_management do
describe "validations" do
it { is_expected.to belong_to(:organization) }
it { is_expected.to belong_to(:root_project).class_name('Project') }
describe "#organization_match" do
let_it_be(:organization) { create(:organization) }
@ -41,6 +42,11 @@ RSpec.describe ForkNetwork, feature_category: :source_code_management do
end
end
describe "associations" do
it { is_expected.to have_many(:fork_network_members) }
it { is_expected.to have_many(:projects).through(:fork_network_members) }
end
describe '#add_root_as_member' do
it 'adds the root project as a member when creating a new root network' do
project = create(:project)

24
spec/models/lfs_object_spec.rb
View File

@ -105,8 +105,6 @@ RSpec.describe LfsObject, feature_category: :source_code_management do
subject { create(:lfs_object, :with_file) }
describe 'file is being stored' do
subject { create(:lfs_object, :with_file) }
context 'when existing object has local store' do
it_behaves_like 'mounted file in local store'
end
@ -121,6 +119,28 @@ RSpec.describe LfsObject, feature_category: :source_code_management do
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
lfs_object = create(:lfs_object)
if lfs_object.file_store == ObjectStorage::Store::REMOTE
lfs_object.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
lfs_object
end
let(:remotely_stored) do
lfs_object = create(:lfs_object)
if lfs_object.file_store == ObjectStorage::Store::LOCAL
lfs_object.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
lfs_object
end
end
describe ".calculate_oid" do
let(:lfs_object) { create(:lfs_object, :with_file) }

22
spec/models/merge_request_diff_spec.rb
View File

@ -1688,4 +1688,26 @@ RSpec.describe MergeRequestDiff, feature_category: :code_review_workflow do
end
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
merge_request_diff = create(:merge_request_diff)
if merge_request_diff.external_diff_store == ObjectStorage::Store::REMOTE
merge_request_diff.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
merge_request_diff
end
let(:remotely_stored) do
merge_request_diff = create(:merge_request_diff)
if merge_request_diff.external_diff_store == ObjectStorage::Store::LOCAL
merge_request_diff.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
merge_request_diff
end
end
end

22
spec/models/packages/package_file_spec.rb
View File

@ -597,4 +597,26 @@ RSpec.describe Packages::PackageFile, type: :model, feature_category: :package_r
end
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
package_file = create(:package_file)
if package_file.file_store == ObjectStorage::Store::REMOTE
package_file.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
package_file
end
let(:remotely_stored) do
package_file = create(:package_file)
if package_file.file_store == ObjectStorage::Store::LOCAL
package_file.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
package_file
end
end
end

4
spec/models/pages_deployment_spec.rb
View File

@ -35,8 +35,8 @@ RSpec.describe PagesDeployment, feature_category: :pages do
end
it_behaves_like 'object storable' do
let(:create_local) { create(:pages_deployment, project: project, file_store: ::ObjectStorage::Store::LOCAL) }
let(:create_remote) { create(:pages_deployment, project: project, file_store: ::ObjectStorage::Store::REMOTE) }
let(:locally_stored) { create(:pages_deployment, project: project, file_store: ::ObjectStorage::Store::LOCAL) }
let(:remotely_stored) { create(:pages_deployment, project: project, file_store: ::ObjectStorage::Store::REMOTE) }
end
end

20
spec/models/terraform/state_version_spec.rb
View File

@ -11,12 +11,24 @@ RSpec.describe Terraform::StateVersion, feature_category: :infrastructure_as_cod
it { is_expected.to belong_to(:build).class_name('Ci::Build').optional }
it_behaves_like 'object storable' do
let(:create_local) do
create(:terraform_state_version, described_class::STORE_COLUMN => ObjectStorage::Store::LOCAL)
let(:locally_stored) do
terraform_state_version = create(:terraform_state_version)
if terraform_state_version.file_store == ObjectStorage::Store::REMOTE
terraform_state_version.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
terraform_state_version
end
let(:create_remote) do
create_local.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
let(:remotely_stored) do
terraform_state_version = create(:terraform_state_version)
if terraform_state_version.file_store == ObjectStorage::Store::LOCAL
terraform_state_version.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
terraform_state_version
end
end

22
spec/models/upload_spec.rb
View File

@ -335,4 +335,26 @@ RSpec.describe Upload do
subject.destroy!
end
end
it_behaves_like 'object storable' do
let(:locally_stored) do
upload = create(:upload)
if upload.store == ObjectStorage::Store::REMOTE
upload.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::LOCAL)
end
upload
end
let(:remotely_stored) do
upload = create(:upload)
if upload.store == ObjectStorage::Store::LOCAL
upload.update_column(described_class::STORE_COLUMN, ObjectStorage::Store::REMOTE)
end
upload
end
end
end

28
spec/rubocop/cop/gitlab/deprecated_audit_event_service_spec.rb Normal file
View File

@ -0,0 +1,28 @@
# frozen_string_literal: true
require 'rubocop_spec_helper'
require_relative '../../../../rubocop/cop/gitlab/deprecated_audit_event_service'
RSpec.describe RuboCop::Cop::Gitlab::DeprecatedAuditEventService, feature_category: :tooling do
let(:msg) do
'AuditEventService is deprecated and new implementations are not allowed. ' \
'Instead please use Gitlab::Audit::Auditor. ' \
'See https://docs.gitlab.com/development/audit_event_guide/#how-to-instrument-new-audit-events'
end
it 'flags the use of AuditEventService.new' do
expect_offense(<<~RUBY)
AuditEventService.new
^^^^^^^^^^^^^^^^^ #{msg}
^^^^^^^^^^^^^^^^^^^^^ #{msg}
RUBY
end
it 'flags the use of AuditEventService with safe navigation operator' do
expect_offense(<<~RUBY)
AuditEventService&.new
^^^^^^^^^^^^^^^^^ #{msg}
^^^^^^^^^^^^^^^^^^^^^^ #{msg}
RUBY
end
end

16
spec/services/projects/create_service_spec.rb
View File

@ -888,6 +888,22 @@ RSpec.describe Projects::CreateService, '#execute', feature_category: :groups_an
end
end
context 'when Secret Detection initialization is requested' do
let(:project) { create_project(user, opts) }
before do
opts[:initialize_with_secret_detection] = '1'
allow(Gitlab::CurrentSettings).to receive(:default_branch_name).and_return('main')
end
it 'creates a commit for Secret Detection', :aggregate_failures do
expect(project.repository.commit_count).to be(1)
expect(project.repository.commit.message).to eq(
'Configure Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist'
)
end
end
context 'when SHA256 format is requested' do
let(:project) { create_project(user, opts) }
let(:opts) { super().merge(initialize_with_readme: true, repository_object_format: 'sha256') }

116
spec/services/security/ci_configuration/secret_detection_create_service_spec.rb
View File

@ -3,17 +3,113 @@
require 'spec_helper'
RSpec.describe Security::CiConfiguration::SecretDetectionCreateService, :snowplow, feature_category: :container_scanning do
subject(:result) { described_class.new(project, user).execute }
describe '#execute' do
let_it_be(:project) { create(:project, :repository) }
let(:snowplow_event) do
{
category: 'Security::CiConfiguration::SecretDetectionCreateService',
action: 'create',
label: 'false'
}
end
let(:branch_name) { 'set-secret-detection-config-1' }
let_it_be(:user) { create(:user) }
let(:branch_name) { 'set-secret-detection-config-1' }
let(:params) { {} }
let(:commit_on_default) { false }
let(:snowplow_event) do
{
category: 'Security::CiConfiguration::SecretDetectionCreateService',
action: 'create',
label: ''
}
subject(:result) { described_class.new(project, user, params, commit_on_default: commit_on_default).execute }
# Include the shared examples that test basic functionality
include_examples 'services security ci configuration create service', true
context 'when user belongs to project' do
before_all do
project.add_developer(user)
end
context 'with initialize_with_secret_detection parameter' do
let(:params) { { initialize_with_secret_detection: true } }
let(:build_action_instance) { instance_double(Security::CiConfiguration::SecretDetectionBuildAction) }
before do
allow(Security::CiConfiguration::SecretDetectionBuildAction).to receive(:new)
.and_return(build_action_instance)
allow(build_action_instance).to receive(:generate).and_return({
action: 'create',
file_path: '.gitlab-ci.yml',
content: 'content',
default_values_overwritten: true
})
end
it 'passes the parameter to SecretDetectionBuildAction' do
expect(Security::CiConfiguration::SecretDetectionBuildAction).to receive(:new)
.with(anything, hash_including(initialize_with_secret_detection: true), anything, anything)
.and_return(build_action_instance)
result
end
it 'returns success' do
expect(result.status).to eq(:success)
end
end
context 'with sast_also_enabled parameter' do
let(:params) { { sast_also_enabled: true } }
let(:build_action_instance) { instance_double(Security::CiConfiguration::SecretDetectionBuildAction) }
before do
allow(Security::CiConfiguration::SecretDetectionBuildAction).to receive(:new)
.and_return(build_action_instance)
allow(build_action_instance).to receive(:generate).and_return({
action: 'create',
file_path: '.gitlab-ci.yml',
content: 'content',
default_values_overwritten: true
})
end
it 'creates appropriate commit message' do
service = described_class.new(project, user, params)
expect(service.send(:message)).to eq(
'Configure SAST and Secret Detection in `.gitlab-ci.yml`, creating this file if it does not already exist'
)
end
end
context 'with commit_on_default parameter' do
let(:params) { { initialize_with_secret_detection: true } }
let(:commit_on_default) { true }
it 'uses the project default branch' do
service = described_class.new(project, user, params, commit_on_default: true)
expect(service.branch_name).to eq(project.default_branch)
end
it 'returns success' do
# Setup expectations for the repository API
allow(project.repository).to receive(:add_branch)
allow_next_instance_of(Files::MultiService) do |multi_service|
expect(multi_service).to receive(:execute).and_return(status: :success)
end
expect(result.status).to eq(:success)
end
end
context 'with no commit_on_default parameter' do
let(:commit_on_default) { false }
it 'uses the generated branch name' do
service = described_class.new(project, user, {})
expect(service.branch_name).to start_with('set-secret-detection-config')
end
end
end
end
include_examples 'services security ci configuration create service', true
end

17
spec/support/helpers/test_env.rb
View File

@ -174,8 +174,23 @@ module TestEnv
public_send(method)
end
post_init
duration = Time.now - start
puts "\nTest environment set up in #{Time.now - start} seconds"
puts "\nTest environment set up in #{duration} seconds"
send_rspec_setup_duration_telemetry(duration)
end
def send_rspec_setup_duration_telemetry(duration)
gdk_path = Gitlab::Utils.which('gdk')
return if gdk_path.empty?
Bundler.with_unbundled_env do
success = system(gdk_path, 'send-telemetry', 'rspec_setup_duration', duration.to_s)
warn "Failed to send RSpec setup time via telemetry command." unless success
end
rescue StandardError => e
warn "Failed to send telemetry: #{e.message}"
end
# Can be overriden

28
spec/support/shared_examples/models/concerns/object_storable_shared_examples.rb
View File

@ -1,34 +1,26 @@
# frozen_string_literal: true
# Requires these let variables to be set by the caller:
# - create_local
# - create_remote
# - locally_stored
# - remotely_stored
RSpec.shared_examples 'object storable' do
describe '.with_files_stored_locally' do
it 'includes states with local storage' do
create_local
expect(described_class.with_files_stored_locally).to have_attributes(count: 1)
it 'includes locally stored files' do
expect(described_class.with_files_stored_locally).to include(*locally_stored)
end
it 'excludes states without local storage' do
create_remote
expect(described_class.with_files_stored_locally).to have_attributes(count: 0)
it 'excludes remotely stored files' do
expect(described_class.with_files_stored_locally).not_to include(*remotely_stored)
end
end
describe '.with_files_stored_remotely' do
it 'excludes states with local storage' do
create_local
expect(described_class.with_files_stored_remotely).to have_attributes(count: 0)
it 'includes remotely stored files' do
expect(described_class.with_files_stored_remotely).to include(*remotely_stored)
end
it 'includes states without local storage' do
create_remote
expect(described_class.with_files_stored_remotely).to have_attributes(count: 1)
it 'excludes locally stored files' do
expect(described_class.with_files_stored_remotely).not_to include(*locally_stored)
end
end
end

2
spec/support/shared_examples/services/security/ci_configuration/create_service_shared_examples.rb
View File

@ -160,7 +160,7 @@ RSpec.shared_examples_for 'services security ci configuration create service' do
end
context 'when the project is empty' do
let(:params) { nil }
let(:params) { {} }
let_it_be(:project) { create(:project_empty_repo) }
it 'returns a ServiceResponse error' do