Merge remote-tracking branch 'upstream/master' into rename-builds-controller

* upstream/master: (63 commits)
  Update docs related to protected actions
  Add changelog for protected branches abilities fix
  Ask for an example project for bug reports
  Center loading spinner in issuable filters
  Fix chat commands specs related to protected actions
  Fix builds controller specs related to protected actions
  Fix pipeline retry specs related to protected actions
  Fix environment model specs related to protected actions
  Fix build factory specs related to protected actions
  Fix job play service specs related to protected actions
  Fix play status specs related to protected actions
  Fix deploy chat command specs for protected actions
  Fix environment specs related to protected actions
  Fix pipeline processing specs related to protected actions
  Fix build entity specs related to protected actions
  Check only a merge ability for protected actions
  Add tag_list param to project api
  Allow PostReceivePack to be enabled with Gitaly
  Remove some deprecated methods
  Add :owned param to ProjectFinder
  ...

19 files changed, 475 insertions, 59 deletions

diff --git a/spec/controllers/projects/jobs_controller_spec.rb b/spec/controllers/projects/jobs_controller_spec.rb
index d011ce70244..838bdae1445 100644
--- a/spec/controllers/projects/jobs_controller_spec.rb
+++ b/spec/controllers/projects/jobs_controller_spec.rb
@@ -234,7 +234,11 @@ describe Projects::JobsController do
 
   describe 'POST play' do
     before do
-      project.add_master(user)
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: 'master', project: project)
+
       sign_in(user)
 
       post_play
diff --git a/spec/features/projects/environments/environment_spec.rb b/spec/features/projects/environments/environment_spec.rb
index 86ce50c976f..18b608c863e 100644
--- a/spec/features/projects/environments/environment_spec.rb
+++ b/spec/features/projects/environments/environment_spec.rb
@@ -12,6 +12,7 @@ feature 'Environment', :feature do
 
   feature 'environment details page' do
     given!(:environment) { create(:environment, project: project) }
+    given!(:permissions) { }
     given!(:deployment) { }
     given!(:action) { }
 
@@ -62,20 +63,31 @@ feature 'Environment', :feature do
                                        name: 'deploy to production')
           end
 
-          given(:role) { :master }
+          context 'when user has ability to trigger deployment' do
+            given(:permissions) do
+              create(:protected_branch, :developers_can_merge,
+                     name: action.ref, project: project)
+            end
 
-          scenario 'does show a play button' do
-            expect(page).to have_link(action.name.humanize)
-          end
+            it 'does show a play button' do
+              expect(page).to have_link(action.name.humanize)
+            end
+
+            it 'does allow to play manual action' do
+              expect(action).to be_manual
 
-          scenario 'does allow to play manual action' do
-            expect(action).to be_manual
+              expect { click_link(action.name.humanize) }
+                .not_to change { Ci::Pipeline.count }
 
-            expect { click_link(action.name.humanize) }
-              .not_to change { Ci::Pipeline.count }
+              expect(page).to have_content(action.name)
+              expect(action.reload).to be_pending
+            end
+          end
 
-            expect(page).to have_content(action.name)
-            expect(action.reload).to be_pending
+          context 'when user has no ability to trigger a deployment' do
+            it 'does not show a play button' do
+              expect(page).not_to have_link(action.name.humanize)
+            end
           end
 
           context 'with external_url' do
@@ -134,12 +146,23 @@ feature 'Environment', :feature do
                                     on_stop: 'close_app')
               end
 
-              given(:role) { :master }
+              context 'when user has ability to stop environment' do
+                given(:permissions) do
+                  create(:protected_branch, :developers_can_merge,
+                         name: action.ref, project: project)
+                end
 
-              scenario 'does allow to stop environment' do
-                click_link('Stop')
+                it 'allows to stop environment' do
+                  click_link('Stop')
 
-                expect(page).to have_content('close_app')
+                  expect(page).to have_content('close_app')
+                end
+              end
+
+              context 'when user has no ability to stop environment' do
+                it 'does not allow to stop environment' do
+                  expect(page).to have_no_link('Stop')
+                end
               end
 
               context 'for reporter' do
@@ -150,12 +173,6 @@ feature 'Environment', :feature do
                 end
               end
             end
-
-            context 'without stop action' do
-              scenario 'does allow to stop environment' do
-                click_link('Stop')
-              end
-            end
           end
 
           context 'when environment is stopped' do
diff --git a/spec/finders/projects_finder_spec.rb b/spec/finders/projects_finder_spec.rb
index 148adcffe3b..03d98459e8c 100644
--- a/spec/finders/projects_finder_spec.rb
+++ b/spec/finders/projects_finder_spec.rb
@@ -137,6 +137,13 @@ describe ProjectsFinder do
       it { is_expected.to eq([public_project]) }
     end
 
+    describe 'filter by owned' do
+      let(:params) { { owned: true } }
+      let!(:owned_project) { create(:empty_project, :private, namespace: current_user.namespace) }
+
+      it { is_expected.to eq([owned_project]) }
+    end
+
     describe 'filter by non_public' do
       let(:params) { { non_public: true } }
       before do
@@ -146,13 +153,19 @@ describe ProjectsFinder do
       it { is_expected.to eq([private_project]) }
     end
 
-    describe 'filter by viewable_starred_projects' do
+    describe 'filter by starred' do
       let(:params) { { starred: true } }
       before do
         current_user.toggle_star(public_project)
       end
 
       it { is_expected.to eq([public_project]) }
+
+      it 'returns only projects the user has access to' do
+        current_user.toggle_star(private_project)
+
+        is_expected.to eq([public_project])
+      end
     end
 
     describe 'sorting' do
diff --git a/spec/fixtures/api/schemas/pipeline_schedule.json b/spec/fixtures/api/schemas/pipeline_schedule.json
new file mode 100644
index 00000000000..f6346bd0fb6
--- /dev/null
+++ b/spec/fixtures/api/schemas/pipeline_schedule.json
@@ -0,0 +1,41 @@
+{
+  "type": "object",
+  "properties" : {
+    "id": { "type": "integer" },
+    "description": { "type": "string" },
+    "ref": { "type": "string" },
+    "cron": { "type": "string" },
+    "cron_timezone": { "type": "string" },
+    "next_run_at": { "type": "date" },
+    "active": { "type": "boolean" },
+    "created_at": { "type": "date" },
+    "updated_at": { "type": "date" },
+    "last_pipeline": { 
+      "type": ["object", "null"],
+      "properties": {
+        "id": { "type": "integer" },
+        "sha": { "type": "string" },
+        "ref": { "type": "string" },
+        "status": { "type": "string" }
+      },
+      "additionalProperties": false
+    },
+    "owner": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "username": { "type": "string" },
+        "id": { "type": "integer" },
+        "state": { "type": "string" },
+        "avatar_url": { "type": "uri" },
+        "web_url": { "type": "uri" }
+      },
+      "additionalProperties": false
+    }
+  },
+  "required": [
+    "id", "description", "ref", "cron", "cron_timezone", "next_run_at", 
+    "active", "created_at", "updated_at", "owner"
+  ],
+  "additionalProperties": false
+}
diff --git a/spec/fixtures/api/schemas/pipeline_schedules.json b/spec/fixtures/api/schemas/pipeline_schedules.json
new file mode 100644
index 00000000000..173a28d2505
--- /dev/null
+++ b/spec/fixtures/api/schemas/pipeline_schedules.json
@@ -0,0 +1,4 @@
+{
+  "type": "array",
+  "items": { "$ref": "pipeline_schedule.json" }
+}
diff --git a/spec/lib/gitlab/chat_commands/command_spec.rb b/spec/lib/gitlab/chat_commands/command_spec.rb
index eb4f06b371c..13e6953147b 100644
--- a/spec/lib/gitlab/chat_commands/command_spec.rb
+++ b/spec/lib/gitlab/chat_commands/command_spec.rb
@@ -58,9 +58,12 @@ describe Gitlab::ChatCommands::Command, service: true do
         end
       end
 
-      context 'and user does have deployment permission' do
+      context 'and user has deployment permission' do
         before do
-          build.project.add_master(user)
+          build.project.add_developer(user)
+
+          create(:protected_branch, :developers_can_merge,
+                 name: build.ref, project: project)
         end
 
         it 'returns action' do
diff --git a/spec/lib/gitlab/chat_commands/deploy_spec.rb b/spec/lib/gitlab/chat_commands/deploy_spec.rb
index b33389d959e..46dbdeae37c 100644
--- a/spec/lib/gitlab/chat_commands/deploy_spec.rb
+++ b/spec/lib/gitlab/chat_commands/deploy_spec.rb
@@ -7,7 +7,12 @@ describe Gitlab::ChatCommands::Deploy, service: true do
     let(:regex_match) { described_class.match('deploy staging to production') }
 
     before do
-      project.add_master(user)
+      # Make it possible to trigger protected manual actions for developers.
+      #
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: 'master', project: project)
     end
 
     subject do
diff --git a/spec/lib/gitlab/ci/status/build/factory_spec.rb b/spec/lib/gitlab/ci/status/build/factory_spec.rb
index 185bb9098da..3f30b2c38f2 100644
--- a/spec/lib/gitlab/ci/status/build/factory_spec.rb
+++ b/spec/lib/gitlab/ci/status/build/factory_spec.rb
@@ -224,7 +224,10 @@ describe Gitlab::Ci::Status::Build::Factory do
 
       context 'when user has ability to play action' do
         before do
-          build.project.add_master(user)
+          project.add_developer(user)
+
+          create(:protected_branch, :developers_can_merge,
+                 name: build.ref, project: project)
         end
 
         it 'fabricates status that has action' do
diff --git a/spec/lib/gitlab/ci/status/build/play_spec.rb b/spec/lib/gitlab/ci/status/build/play_spec.rb
index f5d0f977768..0e15a5f3c6b 100644
--- a/spec/lib/gitlab/ci/status/build/play_spec.rb
+++ b/spec/lib/gitlab/ci/status/build/play_spec.rb
@@ -2,6 +2,7 @@ require 'spec_helper'
 
 describe Gitlab::Ci::Status::Build::Play do
   let(:user) { create(:user) }
+  let(:project) { build.project }
   let(:build) { create(:ci_build, :manual) }
   let(:status) { Gitlab::Ci::Status::Core.new(build, user) }
 
@@ -15,8 +16,13 @@ describe Gitlab::Ci::Status::Build::Play do
 
   describe '#has_action?' do
     context 'when user is allowed to update build' do
-      context 'when user can push to branch' do
-        before { build.project.add_master(user) }
+      context 'when user is allowed to trigger protected action' do
+        before do
+          project.add_developer(user)
+
+          create(:protected_branch, :developers_can_merge,
+                 name: build.ref, project: project)
+        end
 
         it { is_expected.to have_action }
       end
diff --git a/spec/lib/gitlab/workhorse_spec.rb b/spec/lib/gitlab/workhorse_spec.rb
index fdbb55fc874..b1999409170 100644
--- a/spec/lib/gitlab/workhorse_spec.rb
+++ b/spec/lib/gitlab/workhorse_spec.rb
@@ -244,7 +244,7 @@ describe Gitlab::Workhorse, lib: true do
       context "when git_receive_pack action is passed" do
         let(:action) { 'git_receive_pack' }
 
-        it { expect(subject).not_to include(gitaly_params) }
+        it { expect(subject).to include(gitaly_params) }
       end
 
       context "when info_refs action is passed" do
diff --git a/spec/models/environment_spec.rb b/spec/models/environment_spec.rb
index 12519de8636..9fbe19b04d5 100644
--- a/spec/models/environment_spec.rb
+++ b/spec/models/environment_spec.rb
@@ -227,7 +227,10 @@ describe Environment, models: true do
 
       context 'when user is allowed to stop environment' do
         before do
-          project.add_master(user)
+          project.add_developer(user)
+
+          create(:protected_branch, :developers_can_merge,
+                 name: 'master', project: project)
         end
 
         context 'when action did not yet finish' do
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 2ef3d5654d5..da1b29a2bda 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -948,6 +948,20 @@ describe Project, models: true do
     end
   end
 
+  describe '.starred_by' do
+    it 'returns only projects starred by the given user' do
+      user1 = create(:user)
+      user2 = create(:user)
+      project1 = create(:empty_project)
+      project2 = create(:empty_project)
+      create(:empty_project)
+      user1.toggle_star(project1)
+      user2.toggle_star(project2)
+
+      expect(Project.starred_by(user1)).to contain_exactly(project1)
+    end
+  end
+
   describe '.visible_to_user' do
     let!(:project) { create(:empty_project, :private) }
     let!(:user)    { create(:user) }
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 9edf34b05ad..fe9df3360ff 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1496,25 +1496,6 @@ describe User, models: true do
     end
   end
 
-  describe '#viewable_starred_projects' do
-    let(:user) { create(:user) }
-    let(:public_project) { create(:empty_project, :public) }
-    let(:private_project) { create(:empty_project, :private) }
-    let(:private_viewable_project) { create(:empty_project, :private) }
-
-    before do
-      private_viewable_project.team << [user, Gitlab::Access::MASTER]
-
-      [public_project, private_project, private_viewable_project].each do |project|
-        user.toggle_star(project)
-      end
-    end
-
-    it 'returns only starred projects the user can view' do
-      expect(user.viewable_starred_projects).not_to include(private_project)
-    end
-  end
-
   describe '#projects_with_reporter_access_limited_to' do
     let(:project1) { create(:empty_project) }
     let(:project2) { create(:empty_project) }
diff --git a/spec/requests/api/pipeline_schedules_spec.rb b/spec/requests/api/pipeline_schedules_spec.rb
new file mode 100644
index 00000000000..85d11deb26f
--- /dev/null
+++ b/spec/requests/api/pipeline_schedules_spec.rb
@@ -0,0 +1,297 @@
+require 'spec_helper'
+
+describe API::PipelineSchedules do
+  set(:developer) { create(:user) }
+  set(:user) { create(:user) }
+  set(:project) { create(:project) }
+
+  before do
+    project.add_developer(developer)
+  end
+
+  describe 'GET /projects/:id/pipeline_schedules' do
+    context 'authenticated user with valid permissions' do
+      let(:pipeline_schedule) { create(:ci_pipeline_schedule, project: project, owner: developer) }
+
+      before do
+        pipeline_schedule.pipelines << build(:ci_pipeline, project: project)
+      end
+
+      it 'returns list of pipeline_schedules' do
+        get api("/projects/#{project.id}/pipeline_schedules", developer)
+
+        expect(response).to have_http_status(:ok)
+        expect(response).to include_pagination_headers
+        expect(response).to match_response_schema('pipeline_schedules')
+      end
+
+      it 'avoids N + 1 queries' do
+        control_count = ActiveRecord::QueryRecorder.new do
+          get api("/projects/#{project.id}/pipeline_schedules", developer)
+        end.count
+
+        create_list(:ci_pipeline_schedule, 10, project: project)
+          .each do |pipeline_schedule|
+          create(:user).tap do |user|
+            project.add_developer(user)
+            pipeline_schedule.update_attributes(owner: user)
+          end
+          pipeline_schedule.pipelines << build(:ci_pipeline, project: project)
+        end
+
+        expect do
+          get api("/projects/#{project.id}/pipeline_schedules", developer)
+        end.not_to exceed_query_limit(control_count)
+      end
+
+      %w[active inactive].each do |target|
+        context "when scope is #{target}" do
+          before do
+            create(:ci_pipeline_schedule, project: project, active: active?(target))
+          end
+
+          it 'returns matched pipeline schedules' do
+            get api("/projects/#{project.id}/pipeline_schedules", developer), scope: target
+
+            expect(json_response.map{ |r| r['active'] }).to all(eq(active?(target)))
+          end
+        end
+
+        def active?(str)
+          (str == 'active') ? true : false
+        end
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'GET /projects/:id/pipeline_schedules/:pipeline_schedule_id' do
+    let(:pipeline_schedule) { create(:ci_pipeline_schedule, project: project, owner: developer) }
+
+    before do
+      pipeline_schedule.pipelines << build(:ci_pipeline, project: project)
+    end
+
+    context 'authenticated user with valid permissions' do
+      it 'returns pipeline_schedule details' do
+        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
+
+        expect(response).to have_http_status(:ok)
+        expect(response).to match_response_schema('pipeline_schedule')
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do
+        get api("/projects/#{project.id}/pipeline_schedules/-5", developer)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not return pipeline_schedules list' do
+        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'POST /projects/:id/pipeline_schedules' do
+    let(:params) { attributes_for(:ci_pipeline_schedule) }
+
+    context 'authenticated user with valid permissions' do
+      context 'with required parameters' do
+        it 'creates pipeline_schedule' do
+          expect do
+            post api("/projects/#{project.id}/pipeline_schedules", developer),
+              params
+          end.to change { project.pipeline_schedules.count }.by(1)
+
+          expect(response).to have_http_status(:created)
+          expect(response).to match_response_schema('pipeline_schedule')
+          expect(json_response['description']).to eq(params[:description])
+          expect(json_response['ref']).to eq(params[:ref])
+          expect(json_response['cron']).to eq(params[:cron])
+          expect(json_response['cron_timezone']).to eq(params[:cron_timezone])
+          expect(json_response['owner']['id']).to eq(developer.id)
+        end
+      end
+
+      context 'without required parameters' do
+        it 'does not create pipeline_schedule' do
+          post api("/projects/#{project.id}/pipeline_schedules", developer)
+
+          expect(response).to have_http_status(:bad_request)
+        end
+      end
+
+      context 'when cron has validation error' do
+        it 'does not create pipeline_schedule' do
+          post api("/projects/#{project.id}/pipeline_schedules", developer),
+            params.merge('cron' => 'invalid-cron')
+
+          expect(response).to have_http_status(:bad_request)
+          expect(json_response['message']).to have_key('cron')
+        end
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not create pipeline_schedule' do
+        post api("/projects/#{project.id}/pipeline_schedules", user), params
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not create pipeline_schedule' do
+        post api("/projects/#{project.id}/pipeline_schedules"), params
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'PUT /projects/:id/pipeline_schedules/:pipeline_schedule_id' do
+    let(:pipeline_schedule) do
+      create(:ci_pipeline_schedule, project: project, owner: developer)
+    end
+
+    context 'authenticated user with valid permissions' do
+      it 'updates cron' do
+        put api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer),
+          cron: '1 2 3 4 *'
+
+        expect(response).to have_http_status(:ok)
+        expect(response).to match_response_schema('pipeline_schedule')
+        expect(json_response['cron']).to eq('1 2 3 4 *')
+      end
+
+      context 'when cron has validation error' do
+        it 'does not update pipeline_schedule' do
+          put api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer),
+            cron: 'invalid-cron'
+
+          expect(response).to have_http_status(:bad_request)
+          expect(json_response['message']).to have_key('cron')
+        end
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not update pipeline_schedule' do
+        put api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not update pipeline_schedule' do
+        put api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'POST /projects/:id/pipeline_schedules/:pipeline_schedule_id/take_ownership' do
+    let(:pipeline_schedule) do
+      create(:ci_pipeline_schedule, project: project, owner: developer)
+    end
+
+    context 'authenticated user with valid permissions' do
+      it 'updates owner' do
+        post api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}/take_ownership", developer)
+
+        expect(response).to have_http_status(:created)
+        expect(response).to match_response_schema('pipeline_schedule')
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not update owner' do
+        post api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}/take_ownership", user)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not update owner' do
+        post api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}/take_ownership")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'DELETE /projects/:id/pipeline_schedules/:pipeline_schedule_id' do
+    let(:master) { create(:user) }
+
+    let!(:pipeline_schedule) do
+      create(:ci_pipeline_schedule, project: project, owner: developer)
+    end
+
+    before do
+      project.add_master(master)
+    end
+
+    context 'authenticated user with valid permissions' do
+      it 'deletes pipeline_schedule' do
+        expect do
+          delete api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", master)
+        end.to change { project.pipeline_schedules.count }.by(-1)
+
+        expect(response).to have_http_status(:accepted)
+        expect(response).to match_response_schema('pipeline_schedule')
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do
+        delete api("/projects/#{project.id}/pipeline_schedules/-5", master)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context 'authenticated user with invalid permissions' do
+      it 'does not delete pipeline_schedule' do
+        delete api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
+    context 'unauthenticated user' do
+      it 'does not delete pipeline_schedule' do
+        delete api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index f95a287a184..3d98551628b 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -390,6 +390,14 @@ describe API::Projects do
       expect(json_response['visibility']).to eq('private')
     end
 
+    it 'sets tag list to a project' do
+      project = attributes_for(:project, tag_list: %w[tagFirst tagSecond])
+
+      post api('/projects', user), project
+
+      expect(json_response['tag_list']).to eq(%w[tagFirst tagSecond])
+    end
+
     it 'sets a project as allowing merge even if build fails' do
       project = attributes_for(:project, { only_allow_merge_if_pipeline_succeeds: false })
       post api('/projects', user), project
diff --git a/spec/serializers/build_entity_spec.rb b/spec/serializers/build_entity_spec.rb
index b5eb84ae43b..6d5e1046e86 100644
--- a/spec/serializers/build_entity_spec.rb
+++ b/spec/serializers/build_entity_spec.rb
@@ -3,6 +3,7 @@ require 'spec_helper'
 describe BuildEntity do
   let(:user) { create(:user) }
   let(:build) { create(:ci_build) }
+  let(:project) { build.project }
   let(:request) { double('request') }
 
   before do
@@ -52,7 +53,10 @@ describe BuildEntity do
 
     context 'when user is allowed to trigger action' do
       before do
-        build.project.add_master(user)
+        project.add_developer(user)
+
+        create(:protected_branch, :developers_can_merge,
+               name: 'master', project: project)
       end
 
       it 'contains path to play action' do
diff --git a/spec/services/ci/play_build_service_spec.rb b/spec/services/ci/play_build_service_spec.rb
index d6f9fa42045..ea211de1f82 100644
--- a/spec/services/ci/play_build_service_spec.rb
+++ b/spec/services/ci/play_build_service_spec.rb
@@ -13,8 +13,11 @@ describe Ci::PlayBuildService, '#execute', :services do
   context 'when project does not have repository yet' do
     let(:project) { create(:empty_project) }
 
-    it 'allows user with master role to play build' do
-      project.add_master(user)
+    it 'allows user to play build if protected branch rules are met' do
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: build.ref, project: project)
 
       service.execute(build)
 
@@ -45,7 +48,10 @@ describe Ci::PlayBuildService, '#execute', :services do
     let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
 
     before do
-      project.add_master(user)
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: build.ref, project: project)
     end
 
     it 'enqueues the build' do
@@ -64,7 +70,10 @@ describe Ci::PlayBuildService, '#execute', :services do
     let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) }
 
     before do
-      project.add_master(user)
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: build.ref, project: project)
     end
 
     it 'duplicates the build' do
diff --git a/spec/services/ci/process_pipeline_service_spec.rb b/spec/services/ci/process_pipeline_service_spec.rb
index fc5de5d069a..1557cb3c938 100644
--- a/spec/services/ci/process_pipeline_service_spec.rb
+++ b/spec/services/ci/process_pipeline_service_spec.rb
@@ -333,10 +333,11 @@ describe Ci::ProcessPipelineService, '#execute', :services do
 
     context 'when pipeline is promoted sequentially up to the end' do
       before do
-        # We are using create(:empty_project), and users has to be master in
-        # order to execute manual action when repository does not exist.
+        # Users need ability to merge into a branch in order to trigger
+        # protected manual actions.
         #
-        project.add_master(user)
+        create(:protected_branch, :developers_can_merge,
+               name: 'master', project: project)
       end
 
       it 'properly processes entire pipeline' do
diff --git a/spec/services/ci/retry_pipeline_service_spec.rb b/spec/services/ci/retry_pipeline_service_spec.rb
index d941d56c0d8..3e860203063 100644
--- a/spec/services/ci/retry_pipeline_service_spec.rb
+++ b/spec/services/ci/retry_pipeline_service_spec.rb
@@ -6,9 +6,12 @@ describe Ci::RetryPipelineService, '#execute', :services do
   let(:pipeline) { create(:ci_pipeline, project: project) }
   let(:service) { described_class.new(project, user) }
 
-  context 'when user has ability to modify pipeline' do
+  context 'when user has full ability to modify pipeline' do
     before do
-      project.add_master(user)
+      project.add_developer(user)
+
+      create(:protected_branch, :developers_can_merge,
+             name: pipeline.ref, project: project)
     end
 
     context 'when there are already retried jobs present' do