diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-21 14:21:10 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-21 14:21:10 +0000 |
commit | cb0d23c455b73486fd1015f8ca9479b5b7e3585d (patch) | |
tree | d7dc129a407fd74266d2dc561bebf24665197c2f /.gitlab | |
parent | c3e911be175c0aabfea1eb030f9e0ef23f5f3887 (diff) | |
download | gitlab-ce-cb0d23c455b73486fd1015f8ca9479b5b7e3585d.tar.gz |
Add latest changes from gitlab-org/gitlab@12-7-stable-ee
Diffstat (limited to '.gitlab')
-rw-r--r-- | .gitlab/CODEOWNERS | 3 | ||||
-rw-r--r-- | .gitlab/ci/cache-repo.gitlab-ci.yml | 13 | ||||
-rw-r--r-- | .gitlab/ci/dev-fixtures.gitlab-ci.yml | 30 | ||||
-rw-r--r-- | .gitlab/ci/docs.gitlab-ci.yml | 15 | ||||
-rw-r--r-- | .gitlab/ci/frontend.gitlab-ci.yml | 64 | ||||
-rw-r--r-- | .gitlab/ci/global.gitlab-ci.yml | 10 | ||||
-rw-r--r-- | .gitlab/ci/notifications.gitlab-ci.yml | 23 | ||||
-rw-r--r-- | .gitlab/ci/qa.gitlab-ci.yml | 63 | ||||
-rw-r--r-- | .gitlab/ci/rails.gitlab-ci.yml | 22 | ||||
-rw-r--r-- | .gitlab/ci/releases.gitlab-ci.yml | 2 | ||||
-rw-r--r-- | .gitlab/ci/reports.gitlab-ci.yml | 2 | ||||
-rw-r--r-- | .gitlab/ci/review.gitlab-ci.yml | 114 | ||||
-rw-r--r-- | .gitlab/ci/yaml.gitlab-ci.yml | 5 | ||||
-rw-r--r-- | .gitlab/issue_templates/Coding style proposal.md | 2 | ||||
-rw-r--r-- | .gitlab/issue_templates/Feature proposal.md | 1 | ||||
-rw-r--r-- | .gitlab/issue_templates/Security developer workflow.md | 56 | ||||
-rw-r--r-- | .gitlab/merge_request_templates/Database changes.md | 50 | ||||
-rw-r--r-- | .gitlab/merge_request_templates/Security Release.md | 34 |
18 files changed, 290 insertions, 219 deletions
diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS index c8283326533..19aa96701d8 100644 --- a/.gitlab/CODEOWNERS +++ b/.gitlab/CODEOWNERS @@ -3,7 +3,8 @@ *.rake @gitlab-org/maintainers/rails-backend # Technical writing team are the default reviewers for everything in `doc/` -/doc/ @gl-docsteam +*.md @gl-docsteam +doc/ @gl-docsteam # Frontend maintainers should see everything in `app/assets/` app/assets/ @gitlab-org/maintainers/frontend diff --git a/.gitlab/ci/cache-repo.gitlab-ci.yml b/.gitlab/ci/cache-repo.gitlab-ci.yml index f856afd3a02..1162e98e246 100644 --- a/.gitlab/ci/cache-repo.gitlab-ci.yml +++ b/.gitlab/ci/cache-repo.gitlab-ci.yml @@ -18,16 +18,23 @@ # runner, or network egress charges will apply: # https://cloud.google.com/storage/pricing cache-repo: - extends: - - .only:variables_refs-canonical-dot-com-schedules image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine stage: sync allow_failure: true variables: - GIT_DEPTH: 0 + GIT_STRATEGY: none TAR_FILENAME: /tmp/gitlab-master.tar script: + - cd .. + - rm -rf $CI_PROJECT_NAME + - git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME + - cd $CI_PROJECT_NAME - gcloud auth activate-service-account --key-file=$CI_REPO_CACHE_CREDENTIALS - tar cf $TAR_FILENAME . - gzip $TAR_FILENAME - gsutil cp $TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/gitlab-master.tar.gz + only: + variables: + - $CI_REPO_CACHE_CREDENTIALS + refs: + - schedules diff --git a/.gitlab/ci/dev-fixtures.gitlab-ci.yml b/.gitlab/ci/dev-fixtures.gitlab-ci.yml new file mode 100644 index 00000000000..a5dab5d8708 --- /dev/null +++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml @@ -0,0 +1,30 @@ +.run-dev-fixtures: + extends: + - .only-code-rails-job-base + - .use-pg9 + stage: test + needs: ["setup-test-env"] + dependencies: ["setup-test-env"] + variables: + FIXTURE_PATH: "db/fixtures/development" + SEED_CYCLE_ANALYTICS: "true" + SEED_PRODUCTIVITY_ANALYTICS: "true" + CYCLE_ANALYTICS_ISSUE_COUNT: 1 + SIZE: 0 # number of external projects to fork, requires network connection + # SEED_NESTED_GROUPS: "false" # requires network connection + +run-dev-fixtures-foss: + extends: .run-dev-fixtures + script: + - scripts/gitaly-test-spawn + - RAILS_ENV=test bundle exec rake db:seed_fu + +run-dev-fixtures-ee: + extends: + - .only-ee + - .use-pg9-ee + - .run-dev-fixtures + script: + - scripts/gitaly-test-spawn + - cp ee/db/fixtures/development/* $FIXTURE_PATH + - RAILS_ENV=test bundle exec rake db:seed_fu diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml index cd0e4085e10..4acc3c7d1fe 100644 --- a/.gitlab/ci/docs.gitlab-ci.yml +++ b/.gitlab/ci/docs.gitlab-ci.yml @@ -11,7 +11,10 @@ stage: review dependencies: [] variables: - GIT_STRATEGY: none + # We're cloning the repo instead of downloading the script for now + # because some repos are private and CI_JOB_TOKEN cannot access files. + # See https://gitlab.com/gitlab-org/gitlab/issues/191273 + GIT_DEPTH: 1 environment: name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID # DOCS_REVIEW_APPS_DOMAIN and DOCS_GITLAB_REPO_SUFFIX are CI variables @@ -19,11 +22,7 @@ url: http://docs-preview-$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID.$DOCS_REVIEW_APPS_DOMAIN/$DOCS_GITLAB_REPO_SUFFIX on_stop: review-docs-cleanup before_script: - # We don't clone the repo by using GIT_STRATEGY: none and only download the - # single script we need here so it's much faster than cloning. - apk add --update openssl - - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/trigger-build-docs - - chmod 755 trigger-build-docs - gem install httparty --no-document --version 0.17.3 - gem install gitlab --no-document --version 4.13.0 @@ -32,7 +31,7 @@ review-docs-deploy: extends: .review-docs script: - - ./trigger-build-docs deploy + - ./scripts/trigger-build-docs deploy when: manual # Cleanup remote environment of gitlab-docs @@ -42,7 +41,7 @@ review-docs-cleanup: name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID action: stop script: - - ./trigger-build-docs cleanup + - ./scripts/trigger-build-docs cleanup when: manual docs lint: @@ -51,7 +50,7 @@ docs lint: - .default-retry - .default-only - .only:changes-docs - image: "registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-docs-lint" + image: "registry.gitlab.com/gitlab-org/gitlab-docs:docs-lint" stage: test dependencies: [] script: diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml index 6578eec8234..076de55014e 100644 --- a/.gitlab/ci/frontend.gitlab-ci.yml +++ b/.gitlab/ci/frontend.gitlab-ci.yml @@ -1,9 +1,46 @@ +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-default: &if-default + if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG' + +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-default-ee: &if-default-ee + if: '($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG) && $CI_PROJECT_NAME =~ /^gitlab(-ee)?$/' + +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-master: &if-master + if: '$CI_COMMIT_REF_NAME == "master"' + +# Make sure to update all the similar patterns in other CI config files if you modify these patterns +.code-backstage-patterns: &code-backstage-patterns + - ".gitlab/ci/**/*" + - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" + - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" + - ".csscomb.json" + - "Dockerfile.assets" + - "*_VERSION" + - "Gemfile{,.lock}" + - "Rakefile" + - "{babel.config,jest.config}.js" + - "config.ru" + - "{package.json,yarn.lock}" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + - "doc/api/graphql/reference/*" # Files in this folder are auto-generated + # Backstage changes + - "Dangerfile" + - "danger/**/*" + - "{,ee/}fixtures/**/*" + - "{,ee/}rubocop/**/*" + - "{,ee/}spec/**/*" + - "doc/README.md" # Some RSpec test rely on this file + .assets-compile-cache: cache: paths: - vendor/ruby/ - .yarn-cache/ - tmp/cache/assets/sprockets + - tmp/cache/babel-loader + - tmp/cache/vue-loader .gitlab:assets:compile-metadata: extends: @@ -13,10 +50,8 @@ - .default-before_script - .assets-compile-cache - .only:changes-code-backstage-qa - image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1 - stage: test - dependencies: ["setup-test-env"] - needs: ["setup-test-env"] + image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1 + stage: prepare services: - docker:19.03.0-dind variables: @@ -30,7 +65,7 @@ DOCKER_DRIVER: overlay2 DOCKER_HOST: tcp://docker:2375 cache: - key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:v6" + key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:tmp_cache_webpack:v7" artifacts: name: webpack-report expire_in: 31d @@ -86,7 +121,7 @@ gitlab:assets:compile pull-cache: # we override the max_old_space_size to prevent OOM errors NODE_OPTIONS: --max_old_space_size=3584 cache: - key: "assets-compile:v7" + key: "assets-compile:v8" artifacts: expire_in: 7d paths: @@ -108,7 +143,7 @@ compile-assets pull-push-cache foss: - master cache: policy: pull-push - key: "assets-compile:v7:foss" + key: "assets-compile:v8:foss" compile-assets pull-cache: extends: .compile-assets-metadata @@ -119,7 +154,7 @@ compile-assets pull-cache foss: extends: [".compile-assets-metadata", ".only-ee-as-if-foss"] cache: policy: pull - key: "assets-compile:v7:foss" + key: "assets-compile:v8:foss" .only-code-frontend-job-base: extends: @@ -132,7 +167,6 @@ compile-assets pull-cache foss: - .use-pg9 stage: test needs: ["setup-test-env", "compile-assets pull-cache"] - dependencies: ["setup-test-env", "compile-assets pull-cache"] .karma-base: extends: .only-code-frontend-job-base @@ -204,9 +238,10 @@ jest-foss: - .default-tags - .default-retry - .default-cache - - .default-only - - .only:changes-code-backstage stage: test + rules: + - <<: *if-master + when: on_success dependencies: [] cache: key: "$CI_JOB_NAME" @@ -237,11 +272,12 @@ webpack-dev-server: - .default-tags - .default-retry - .default-cache - - .default-only - - .only:changes-code-backstage stage: test + rules: + - <<: *if-default + changes: *code-backstage-patterns + when: on_success needs: ["setup-test-env", "compile-assets pull-cache"] - dependencies: ["setup-test-env", "compile-assets pull-cache"] variables: WEBPACK_MEMORY_TEST: "true" WEBPACK_VENDOR_DLL: "true" diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml index 9ebd28c7258..4c407045411 100644 --- a/.gitlab/ci/global.gitlab-ci.yml +++ b/.gitlab/ci/global.gitlab-ci.yml @@ -22,7 +22,7 @@ # Jobs that only need to pull cache .default-cache: cache: - key: "debian-stretch-ruby-2.6.3-node-12.x" + key: "debian-stretch-ruby-2.6.5-node-12.x" paths: - .go/pkg/mod - vendor/ruby @@ -202,7 +202,7 @@ - name: redis:alpine .use-pg10: - image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33" + image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33" services: - name: postgres:10.9 command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"] @@ -213,15 +213,15 @@ - name: postgres:9.6 command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"] - name: redis:alpine - - name: elasticsearch:5.6.12 + - name: elasticsearch:6.4.2 .use-pg10-ee: - image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33" + image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33" services: - name: postgres:10.9 command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"] - name: redis:alpine - - name: elasticsearch:5.6.12 + - name: elasticsearch:6.4.2 .only-ee: only: diff --git a/.gitlab/ci/notifications.gitlab-ci.yml b/.gitlab/ci/notifications.gitlab-ci.yml deleted file mode 100644 index 4271e709f45..00000000000 --- a/.gitlab/ci/notifications.gitlab-ci.yml +++ /dev/null @@ -1,23 +0,0 @@ -.notify: - image: ruby:2.6-alpine - stage: notification - dependencies: [] - cache: {} - before_script: - - apk update && apk add git curl bash - - source scripts/utils.sh - - source scripts/notifications.sh - - install_gitlab_gem - variables: - COMMIT_NOTES_URL: "https://${CI_SERVER_HOST}/${CI_PROJECT_PATH}/commit/${CI_COMMIT_SHA}#notes-list" - -schedule:package-and-qa:notify-failure: - extends: - - .only:variables_refs-canonical-dot-com-schedules - - .notify - script: - - 'export NOTIFICATION_MESSAGE=":skull_and_crossbones: Scheduled QA against master failed! :skull_and_crossbones: See ${CI_PIPELINE_URL}. For downstream pipelines, see ${COMMIT_NOTES_URL}"' - - 'notify_on_job_failure schedule:package-and-qa qa-master "${NOTIFICATION_MESSAGE}" ci_failing' - needs: ["schedule:package-and-qa"] - allow_failure: true - when: always diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml index 3cb5a40a8b5..5a58c3f9416 100644 --- a/.gitlab/ci/qa.gitlab-ci.yml +++ b/.gitlab/ci/qa.gitlab-ci.yml @@ -1,3 +1,32 @@ +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule + if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"' + +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request + if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID' + +# Make sure to update all the similar patterns in other CI config files if you modify these patterns +.code-patterns: &code-patterns + - ".gitlab/ci/**/*" + - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" + - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" + - ".csscomb.json" + - "Dockerfile.assets" + - "*_VERSION" + - "Gemfile{,.lock}" + - "Rakefile" + - "{babel.config,jest.config}.js" + - "config.ru" + - "{package.json,yarn.lock}" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + - "doc/api/graphql/reference/*" # Files in this folder are auto-generated + +# Make sure to update all the similar patterns in other CI config files if you modify these patterns +.qa-patterns: &qa-patterns + - ".dockerignore" + - "qa/**/*" + .qa-job-base: extends: - .default-tags @@ -40,30 +69,16 @@ qa:selectors-foss: - install_gitlab_gem - ./scripts/trigger-build omnibus -package-and-qa-manual: - extends: - - .package-and-qa-base - - .default-only - - .only:variables-canonical-dot-com - - .except:refs-deploy - - .only:changes-code - when: manual - needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] - package-and-qa: - extends: - - .package-and-qa-base - - .default-only - - .only:variables-canonical-dot-com - - .except:refs-master-tags-stable-deploy - - .only:changes-qa - needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] - allow_failure: true - -schedule:package-and-qa: - extends: - - .package-and-qa-base - - .default-only - - .only:variables_refs-canonical-dot-com-schedules + extends: .package-and-qa-base + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *qa-patterns + when: on_success + - <<: *if-canonical-gitlab-merge-request + changes: *code-patterns + when: manual + - <<: *if-canonical-gitlab-schedule + when: on_success needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] allow_failure: true diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml index 4ac187e1670..8c3df170f6d 100644 --- a/.gitlab/ci/rails.gitlab-ci.yml +++ b/.gitlab/ci/rails.gitlab-ci.yml @@ -57,7 +57,7 @@ setup-test-env: dependencies: ["setup-test-env", "retrieve-tests-metadata", "compile-assets pull-cache"] script: - source scripts/rspec_helpers.sh - - rspec_paralellized_job "--tag ~quarantine --tag ~geo" + - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration" artifacts: expire_in: 31d when: always @@ -92,12 +92,21 @@ setup-test-env: - .use-pg10 - .only-master +.rspec-base-migration: + script: + - source scripts/rspec_helpers.sh + - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration" + rspec migration pg9: - extends: .rspec-base-pg9 + extends: + - .rspec-base-pg9 + - .rspec-base-migration parallel: 4 rspec migration pg9-foss: - extends: .rspec-base-pg9-foss + extends: + - .rspec-base-pg9-foss + - .rspec-base-migration parallel: 4 rspec unit pg9: @@ -149,7 +158,9 @@ rspec system pg10: - .use-pg10-ee rspec-ee migration pg9: - extends: .rspec-ee-base-pg9 + extends: + - .rspec-ee-base-pg9 + - .rspec-base-migration parallel: 2 rspec-ee unit pg9: @@ -167,6 +178,7 @@ rspec-ee system pg9: rspec-ee migration pg10: extends: - .rspec-ee-base-pg10 + - .rspec-base-migration - .only-master parallel: 2 @@ -261,7 +273,7 @@ static-analysis: script: - scripts/static-analysis cache: - key: "debian-stretch-ruby-2.6.3-and-rubocop" + key: "debian-stretch-ruby-2.6-and-rubocop" paths: - vendor/ruby - tmp/rubocop_cache diff --git a/.gitlab/ci/releases.gitlab-ci.yml b/.gitlab/ci/releases.gitlab-ci.yml index d4e0236f3a8..8ca4041e6be 100644 --- a/.gitlab/ci/releases.gitlab-ci.yml +++ b/.gitlab/ci/releases.gitlab-ci.yml @@ -9,7 +9,7 @@ image: alpine:edge stage: sync before_script: - - apk add --no-cache --update curl bash + - apk add --no-cache --update curl bash jq after_script: [] script: - bash scripts/sync-stable-branch.sh diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 4ff14b660b3..81cc3e7dd2f 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -20,7 +20,7 @@ code_quality: variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" - CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:12-5-stable" + CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6" script: - | if ! docker info &>/dev/null; then diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml index 1062f6b03a4..ad045d6c974 100644 --- a/.gitlab/ci/review.gitlab-ci.yml +++ b/.gitlab/ci/review.gitlab-ci.yml @@ -1,8 +1,34 @@ +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule + if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"' + +# Make sure to update all the similar conditions in other CI config files if you modify these conditions +.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request + if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID' + +# Make sure to update all the similar patterns in other CI config files if you modify these patterns +.code-qa-patterns: &code-qa-patterns + - ".gitlab/ci/**/*" + - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" + - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" + - ".csscomb.json" + - "Dockerfile.assets" + - "*_VERSION" + - "Gemfile{,.lock}" + - "Rakefile" + - "{babel.config,jest.config}.js" + - "config.ru" + - "{package.json,yarn.lock}" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + - "doc/api/graphql/reference/*" # Files in this folder are auto-generated + # QA changes + - ".dockerignore" + - "qa/**/*" + .review-docker: extends: - .default-tags - .default-retry - - .default-only image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine services: - docker:19.03.0-dind @@ -15,12 +41,14 @@ GITLAB_EDITION: "ce" build-qa-image: - extends: - - .review-docker - - .only:variables-canonical-dot-com - - .except:refs-deploy - - .only:changes-code-qa + extends: .review-docker stage: prepare + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: on_success + - <<: *if-canonical-gitlab-schedule + when: on_success script: - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"' - export QA_MASTER_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:master" @@ -90,7 +118,6 @@ schedule:review-build-cng: extends: - .default-tags - .default-retry - - .default-only image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base dependencies: [] variables: @@ -130,10 +157,11 @@ schedule:review-build-cng: when: always review-deploy: - extends: - - .review-deploy-base - - .only-review - - .only:changes-code-qa + extends: .review-deploy-base + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: on_success schedule:review-deploy: extends: @@ -141,43 +169,45 @@ schedule:review-deploy: - .only-review-schedules .base-review-stop: - extends: - - .review-workflow-base - - .only-review - - .only:changes-code-qa + extends: .review-workflow-base environment: action: stop variables: - GIT_STRATEGY: none + # We're cloning the repo instead of downloading the script for now + # because some repos are private and CI_JOB_TOKEN cannot access files. + # See https://gitlab.com/gitlab-org/gitlab/issues/191273 + GIT_DEPTH: 1 before_script: - # We don't clone the repo by using GIT_STRATEGY: none and only download the - # single script we need here so it's much faster than cloning. - apk add --update openssl - - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/review_apps/review-apps.sh - - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/utils.sh - - source utils.sh - - source review-apps.sh + - source ./scripts/utils.sh + - source ./scripts/review_apps/review-apps.sh review-stop-failed-deployment: extends: .base-review-stop stage: prepare + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: on_success script: - delete_failed_release review-stop: extends: .base-review-stop stage: review - when: manual + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: manual allow_failure: true script: - delete_release .review-qa-base: - extends: - - .review-docker - - .only-review - - .only:changes-code-qa + extends: .review-docker stage: qa + needs: ["review-deploy"] + dependencies: ["review-deploy"] allow_failure: true variables: QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa" @@ -189,13 +219,6 @@ review-stop: GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}" GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}" EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}" - needs: ["review-deploy"] - dependencies: ["review-deploy"] - artifacts: - paths: - - ./qa/gitlab-qa-run-* - expire_in: 7 days - when: always before_script: - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"' - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:${CI_COMMIT_REF_SLUG}" @@ -205,15 +228,27 @@ review-stop: - source scripts/utils.sh - install_api_client_dependencies_with_apk - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}} + artifacts: + paths: + - ./qa/gitlab-qa-run-* + expire_in: 7 days + when: always review-qa-smoke: extends: .review-qa-base + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: on_success script: - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" review-qa-all: extends: .review-qa-base - when: manual + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: manual parallel: 5 script: - export KNAPSACK_REPORT_PATH=knapsack/master_report.json @@ -241,10 +276,11 @@ review-qa-all: performance: performance.json review-performance: - extends: - - .review-performance-base - - .only-review - - .only:changes-code-qa + extends: .review-performance-base + rules: + - <<: *if-canonical-gitlab-merge-request + changes: *code-qa-patterns + when: on_success needs: ["review-deploy"] dependencies: ["review-deploy"] before_script: diff --git a/.gitlab/ci/yaml.gitlab-ci.yml b/.gitlab/ci/yaml.gitlab-ci.yml index 323f94b6d04..4fcf940974b 100644 --- a/.gitlab/ci/yaml.gitlab-ci.yml +++ b/.gitlab/ci/yaml.gitlab-ci.yml @@ -10,5 +10,8 @@ lint-ci-gitlab: - "**/*.yml" image: sdesbure/yamllint:latest dependencies: [] + variables: + LINT_PATHS: .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs script: - - yamllint .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs + - '[[ ! -d "ee/" ]] || export LINT_PATHS="$LINT_PATHS ee/changelogs"' + - yamllint $LINT_PATHS diff --git a/.gitlab/issue_templates/Coding style proposal.md b/.gitlab/issue_templates/Coding style proposal.md index a969c9b72ee..95f0fb5f366 100644 --- a/.gitlab/issue_templates/Coding style proposal.md +++ b/.gitlab/issue_templates/Coding style proposal.md @@ -5,7 +5,7 @@ Please describe the proposal and add a link to the source (for example, http://w --> - [ ] Mention the proposal in the next backend weekly call and the #backend channel to encourage contribution -- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of the votes are :+1: +- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of their votes are :+1: - [ ] Once approved, mention it again in the next backend weekly call and the #backend channel diff --git a/.gitlab/issue_templates/Feature proposal.md b/.gitlab/issue_templates/Feature proposal.md index 2d6d03c313c..45e9c58205f 100644 --- a/.gitlab/issue_templates/Feature proposal.md +++ b/.gitlab/issue_templates/Feature proposal.md @@ -6,6 +6,7 @@ <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. +* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) diff --git a/.gitlab/issue_templates/Security developer workflow.md b/.gitlab/issue_templates/Security developer workflow.md index e06a6fb0cff..1b6a1f87216 100644 --- a/.gitlab/issue_templates/Security developer workflow.md +++ b/.gitlab/issue_templates/Security developer workflow.md @@ -1,60 +1,59 @@ <!-- # Read me first! -Create this issue under https://dev.gitlab.org/gitlab/gitlabhq +Create this issue under https://gitlab.com/gitlab-org/security Set the title to: `Description of the original issue` --> -### Prior to starting the security release work +## Prior to starting the security release work - [ ] Read the [security process for developers] if you are not familiar with it. -- [ ] Link to the original issue adding it to the [links section](#links) -- [ ] Run `scripts/security-harness` in the CE, EE, and/or Omnibus to prevent pushing to any remote besides `dev.gitlab.org` -- [ ] Create a new branch prefixing it with `security-` -- [ ] Create a MR targeting `dev.gitlab.org` `master` -- [ ] Add a link to this issue in the original security issue on `gitlab.com`. +- [ ] Link this issue in the Security Release issue on GitLab.com. You can find this issue in the topic of the `#releases` channel. +- [ ] Add a link to the confidential `gitlab-org/gitlab` issue describing the vulnerability next to **Original issue** in the [links table](#links). +- [ ] Add a link to the confidential `gitlab-org/gitlab` Security release issue next to **Security release issue** in the [links table](#links). +- [ ] Run `scripts/security-harness` in your local repository to prevent accidentally pushing to any remote besides `gitlab.com/gitlab-org/security`. -#### Backports +## Development -- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches - - [ ] At this point, it might be easy to squash the commits from the MR into one - - You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation] - - [ ] Create each MR targeting the stable branch `X-Y-stable`, using the "Security Release" merge request template. - - Every merge request will have its own set of TODOs, so make sure to - complete those. -- [ ] Make sure all MRs have a link in the [links section](#links) +- [ ] Create a new branch prefixing it with `security-`. +- [ ] Create a merge request targeting `master` on `gitlab.com/gitlab-org/security` and use the [Security Release merge request template]. +- [ ] Follow the same [code review process]: Assign to a reviewer, then to a maintainer. -[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script +After your merge request has being approved according to our [approval guidelines], you're ready to prepare the backports + +## Backports -#### Documentation and final details +- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches + * At this point, it might be easy to squash the commits from the MR into one + * You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation] +- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template]. + * Every merge request will have its own set of TODOs, so make sure to complete those. +- [ ] Make sure all MRs are linked in the [Links section](#links) + +## Documentation and final details -- [ ] Check the topic on #releases to see when the next release is going to happen and add a link to the [links section](#links) -- [ ] Add links to this issue and your MRs in the description of the security release issue +- [ ] Ensure the [Links section](#links) is completed. - [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details) - [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details) - [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details) - [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details) - [ ] Once your `master` MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed. -### Summary +## Summary -#### Links +### Links | Description | Link | | -------- | -------- | | Original issue | #TODO | | Security release issue | #TODO | | `master` MR | !TODO | -| `master` MR (EE) | !TODO | | `Backport X.Y` MR | !TODO | | `Backport X.Y` MR | !TODO | | `Backport X.Y` MR | !TODO | -| `Backport X.Y` MR (EE) | !TODO | -| `Backport X.Y` MR (EE) | !TODO | -| `Backport X.Y` MR (EE) | !TODO | -#### Details +### Details | Description | Details | Further details| | -------- | -------- | -------- | @@ -65,6 +64,9 @@ Set the title to: `Description of the original issue` | Thanks | | | [security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md -[RM list]: https://about.gitlab.com/release-managers/ +[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script +[security Release merge request template]: https://gitlab.com/gitlab-org/security/gitlab/blob/master/.gitlab/merge_request_templates/Security%20Release.md +[code review process]: https://docs.gitlab.com/ee/development/code_review.html +[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines /label ~security diff --git a/.gitlab/merge_request_templates/Database changes.md b/.gitlab/merge_request_templates/Database changes.md deleted file mode 100644 index 89c8c7a5d07..00000000000 --- a/.gitlab/merge_request_templates/Database changes.md +++ /dev/null @@ -1,50 +0,0 @@ -## What does this MR do? - -<!-- -Describe in detail what your merge request does, why it does that, etc. Merge -requests without an adequate description will not be reviewed until one is -added. - -Please also keep this description up-to-date with any discussion that takes -place so that reviewers can understand your intent. This is especially -important if they didn't participate in the discussion. - -Make sure to remove this comment when you are done. ---> - -Add a description of your merge request here. - -## Database checklist - -- [ ] Conforms to the [database guides](https://docs.gitlab.com/ee/development/README.html#database-guides) - -When adding migrations: - -- [ ] Updated `db/schema.rb` -- [ ] Added a `down` method so the migration can be reverted -- [ ] Added the output of the migration(s) to the MR body -- [ ] Added tests for the migration in `spec/migrations` if necessary (e.g. when migrating data) -- [ ] Added rollback procedure. Include either a rollback procedure or description how to rollback changes - -When adding or modifying queries to improve performance: - -- [ ] Included data that shows the performance improvement, preferably in the form of a benchmark -- [ ] Included the output of `EXPLAIN (ANALYZE, BUFFERS)` of the relevant queries - -When adding foreign keys to existing tables: - -- [ ] Included a migration to remove orphaned rows in the source table before adding the foreign key -- [ ] Removed any instances of `dependent: ...` that may no longer be necessary - -When adding tables: - -- [ ] Ordered columns based on the [Ordering Table Columns](https://docs.gitlab.com/ee/development/ordering_table_columns.html) guidelines -- [ ] Added foreign keys to any columns pointing to data in other tables -- [ ] Added indexes for fields that are used in statements such as `WHERE`, `ORDER BY`, `GROUP BY`, and `JOIN`s - -When removing columns, tables, indexes or other structures: - -- [ ] Removed these in a post-deployment migration -- [ ] Made sure the application no longer uses (or ignores) these structures - -/label ~database ~"database::review pending" diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md index 42314f9b2dd..cccfafe397e 100644 --- a/.gitlab/merge_request_templates/Security Release.md +++ b/.gitlab/merge_request_templates/Security Release.md @@ -1,35 +1,37 @@ <!-- # README first! -This MR should be created on `dev.gitlab.org`. +This MR should be created on `gitlab.com/gitlab-org/security/gitlab`. See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md). -This merge request _must not_ close the corresponding security issue _unless_ it -targets master. - -When submitting a merge request for CE, a corresponding EE merge request is -always required. This makes it easier to merge security merge requests, as -manually merging CE into EE is no longer required. - --> + ## Related issues <!-- Mention the issue(s) this MR is related to --> ## Developer checklist -- [ ] Link to the developer security workflow issue on `dev.gitlab.org` -- [ ] MR targets `master`, or `X-Y-stable` for backports -- [ ] Milestone is set for the version this MR applies to -- [ ] Title of this MR is the same as for all backports +- [ ] Link this MR in the `links` section of the related issue on [GitLab Security]. +- [ ] Merge request targets `master`, or `X-Y-stable` for backports. +- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions]. +- [ ] Title of this merge request is the same as for all backports. - [ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security` -- [ ] Add a link to this MR in the `links` section of related issue -- [ ] Set up an EE MR (always required for CE merge requests): EE_MR_LINK_HERE -- [ ] Assign to a reviewer (that is not a release manager) +- [ ] Assign to a reviewer and maintainer, per our [Code Review process]. +- [ ] For the MR targeting `master`: + - [ ] Ping appsec team member who created the issue and ask for a non-blocking review with `Please review this MR`. + - [ ] Ensure it's approved according to our [Approval Guidelines]. +- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`. -## Reviewer checklist +**Note:** Reviewer/maintainer should not be a Release Manager +## Maintainer checklist - [ ] Correct milestone is applied and the title is matching across all backports - [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines /label ~security + +[GitLab Security]: https://gitlab.com/gitlab-org/security/gitlab +[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines +[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html +[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics |