Add latest changes from gitlab-org/gitlab@14-10-stable-ee

14 files changed, 79 insertions, 5 deletions

diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 3f4d26bb6ec..d49afd565f7 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -87,7 +87,7 @@ module Projects
       def permitted_project_params
         [
           :runners_token, :builds_enabled, :build_allow_git_fetch,
-          :build_timeout_human_readable, :build_coverage_regex, :public_builds,
+          :build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches,
           :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
           auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
           ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 6cdfdfa9e2f..8d57b95ad87 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController
       :initialize_with_sast,
       :initialize_with_readme,
       :autoclose_referenced_issues,
+      :ci_separated_caches,
       :suggestion_commit_message,
       :packages_enabled,
       :service_desk_enabled,
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index a8ad55fd5a4..e8b4751a687 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -911,6 +911,8 @@ module Ci
         end
       end
 
+      return cache unless project.ci_separated_caches
+
       type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
       cache.map do |entry|
         entry.merge(key: "#{entry[:key]}-#{type_suffix}")
diff --git a/app/models/project.rb b/app/models/project.rb
index f7182d1645c..b27f91dcdd5 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -471,6 +471,7 @@ class Project < ApplicationRecord
   delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
   delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
+  delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
   delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
   delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,
diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb
index 28a493cae33..bb0fdaa29a1 100644
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
     allow_nil: true
 
   default_value_for :forward_deployment_enabled, true
+  default_value_for :separated_caches, true
 
   chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
 
diff --git a/app/views/projects/settings/ci_cd/_form.html.haml b/app/views/projects/settings/ci_cd/_form.html.haml
index 5ef56cda6d2..28aa14bf16b 100644
--- a/app/views/projects/settings/ci_cd/_form.html.haml
+++ b/app/views/projects/settings/ci_cd/_form.html.haml
@@ -1,6 +1,7 @@
 - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
 - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
-- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
 
 .row.gl-mt-3
   .col-lg-12
@@ -25,6 +26,11 @@
               help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
 
         .form-group
+          = f.gitlab_ui_checkbox_component :ci_separated_caches,
+            s_("CICD|Use separate caches for protected branches"),
+            help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
+
+        .form-group
           = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
           = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'
           %p.form-text.text-muted
diff --git a/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb b/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb
new file mode 100644
index 00000000000..39daf9fe296
--- /dev/null
+++ b/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
+  enable_lock_retries!
+
+  def change
+    add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
+  end
+end
diff --git a/db/schema_migrations/20220507204024 b/db/schema_migrations/20220507204024
new file mode 100644
index 00000000000..510badf30ea
--- /dev/null
+++ b/db/schema_migrations/20220507204024
@@ -0,0 +1 @@
+8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index c226da842c3..eaae14bebb8 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings (
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
     job_token_scope_enabled boolean DEFAULT false NOT NULL,
-    runner_token_expiration_interval integer
+    runner_token_expiration_interval integer,
+    separated_caches boolean DEFAULT true NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq
diff --git a/doc/ci/caching/index.md b/doc/ci/caching/index.md
index 777bbf6053f..bb4e7aecd08 100644
--- a/doc/ci/caching/index.md
+++ b/doc/ci/caching/index.md
@@ -31,7 +31,7 @@ can't link to files outside it.
 - Subsequent pipelines can use the cache.
 - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
 - Different projects cannot share the cache.
-- Protected and non-protected branches do not share the cache.
+- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
 
 ### Artifacts
 
@@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep
 If you use cache and artifacts to store the same path in your jobs, the cache might
 be overwritten because caches are restored before artifacts.
 
-### Segregation of caches between protected and non-protected branches
+#### Cache key names
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0.
 
@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys:
 | `main`      | `main-protected` |
 | `feature`   | `feature-non_protected` |
 
+##### Use the same cache for all branches
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
+
+If you do not want to use [cache key names](#cache-key-names),
+you can have all branches (protected and unprotected) use the same cache.
+
+The cache separation with [cache key names](#cache-key-names) is a security feature
+and should only be disabled in an environment where all users with Developer role are highly trusted.
+
+To use the same cache for all branches:
+
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > CI/CD**.
+1. Expand **General pipelines**.
+1. Clear the **Use separate caches for protected branches** checkbox.
+1. Select **Save changes**.
+
 ### How archiving and extracting works
 
 This example shows two jobs in two consecutive stages:
diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb
index 60cc5167c41..7fec4bf5276 100644
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -99,6 +99,7 @@ module API
       expose :ci_default_git_depth
       expose :ci_forward_deployment_enabled
       expose :ci_job_token_scope_enabled
+      expose :ci_separated_caches
       expose :public_builds, as: :public_jobs
       expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
         project.build_allow_git_fetch ? 'fetch' : 'clone'
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index fa3357c723f..edad17df272 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -6660,6 +6660,12 @@ msgstr ""
 msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
 msgstr ""
 
+msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
+msgstr ""
+
+msgid "CICD|Use separate caches for protected branches"
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
 
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index 12e65974270..e37221bc1c7 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do
             is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
           end
         end
+
+        context 'when separated caches are disabled' do
+          before do
+            allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
+          end
+
+          context 'running on protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(true)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+
+          context 'running on not protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(false)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+        end
       end
 
       context 'when project has jobs_cache_index' do
diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml
index fbcaa404edb..eb6f81c2810 100644
--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -99,6 +99,7 @@ ci_cd_settings:
     default_git_depth: ci_default_git_depth
     forward_deployment_enabled: ci_forward_deployment_enabled
     job_token_scope_enabled: ci_job_token_scope_enabled
+    separated_caches: ci_separated_caches
 
 build_import_state: # import_state
   unexposed_attributes: