Add latest changes from gitlab-org/gitlab@14-10-stable-eev14.10.0-rc42

3 files changed, 56 insertions, 34 deletions

diff --git a/tooling/bin/find_app_sec_approval b/tooling/bin/find_app_sec_approval
new file mode 100755
index 00000000000..ea85617eb43
--- /dev/null
+++ b/tooling/bin/find_app_sec_approval
@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'gitlab'
+
+# This script is used to confirm that AppSec has approved upstream JiHu contributions
+#
+# It will error if the approval is missing from the MR when it is run.
+
+gitlab_token = ENV.fetch('PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE')
+gitlab_endpoint = ENV.fetch('CI_API_V4_URL')
+mr_project_path = ENV['CI_MERGE_REQUEST_PROJECT_PATH']
+mr_iid = ENV['CI_MERGE_REQUEST_IID']
+approval_label = "sec-planning::complete"
+
+warn "WARNING: CI_MERGE_REQUEST_PROJECT_PATH is missing." if mr_project_path.to_s.empty?
+warn "WARNING: CI_MERGE_REQUEST_IID is missing." if mr_iid.to_s.empty?
+
+unless mr_project_path && mr_iid
+  warn "ERROR: Exiting as this does not appear to be a merge request pipeline."
+  exit
+end
+
+Gitlab.configure do |config|
+  config.endpoint       = gitlab_endpoint
+  config.private_token  = gitlab_token
+end
+
+if Gitlab.merge_request(mr_project_path, mr_iid).labels.include?(approval_label)
+  puts 'INFO: No action required.'
+else
+  abort('ERROR: This merge request has not been approved by application security and is required prior to merge.')
+end
diff --git a/tooling/danger/product_intelligence.rb b/tooling/danger/product_intelligence.rb
index 6185b2f0d08..0f007e970b4 100644
--- a/tooling/danger/product_intelligence.rb
+++ b/tooling/danger/product_intelligence.rb
@@ -6,12 +6,35 @@ module Tooling
     module ProductIntelligence
       APPROVED_LABEL = 'product intelligence::approved'
       REVIEW_LABEL = 'product intelligence::review pending'
+      CHANGED_FILES_MESSAGE = <<~MSG
+      For the following files, a review from the [Data team and Product Intelligence team](https://gitlab.com/groups/gitlab-org/growth/product-intelligence/engineers/-/group_members?with_inherited_permissions=exclude) is recommended
+      Please check the ~"product intelligence" [Service Ping guide](https://docs.gitlab.com/ee/development/service_ping/) or the [Snowplow guide](https://docs.gitlab.com/ee/development/snowplow/).
+
+      For MR review guidelines, see the [Service Ping review guidelines](https://docs.gitlab.com/ee/development/service_ping/review_guidelines.html) or the [Snowplow review guidelines](https://docs.gitlab.com/ee/development/snowplow/review_guidelines.html).
+
+      %<changed_files>s
+
+      MSG
 
       WORKFLOW_LABELS = [
         APPROVED_LABEL,
         REVIEW_LABEL
       ].freeze
 
+      def check!
+        # exit if not matching files or if no product intelligence labels
+        product_intelligence_paths_to_review = helper.changes_by_category[:product_intelligence]
+        labels_to_add = missing_labels
+
+        return if product_intelligence_paths_to_review.empty? || skip_review?
+
+        warn format(CHANGED_FILES_MESSAGE, changed_files: helper.markdown_list(product_intelligence_paths_to_review)) unless has_approved_label?
+
+        helper.labels_to_add.concat(labels_to_add) unless labels_to_add.empty?
+      end
+
+      private
+
       def missing_labels
         return [] unless helper.ci?
 
@@ -30,8 +53,6 @@ module Tooling
         helper.mr_has_labels?('growth experiment')
       end
 
-      private
-
       def has_workflow_labels?
         (WORKFLOW_LABELS & helper.mr_labels).any?
       end
diff --git a/tooling/danger/project_helper.rb b/tooling/danger/project_helper.rb
index 02002e1d1b2..fc87498f5d0 100644
--- a/tooling/danger/project_helper.rb
+++ b/tooling/danger/project_helper.rb
@@ -3,22 +3,6 @@
 module Tooling
   module Danger
     module ProjectHelper
-      LOCAL_RULES ||= %w[
-        ci_config
-        database
-        documentation
-        duplicate_yarn_dependencies
-        eslint
-        gitaly
-        pajamas
-        pipeline
-        prettier
-        product_intelligence
-        utility_css
-        vue_shared_documentation
-        datateam
-      ].freeze
-
       CI_ONLY_RULES ||= %w[
         ce_ee_vue_templates
         ci_templates
@@ -31,8 +15,6 @@ module Tooling
         z_metadata
       ].freeze
 
-      MESSAGE_PREFIX = '==>'
-
       # First-match win, so be sure to put more specific regex at the top...
       CATEGORIES = {
         [%r{usage_data\.rb}, %r{^(\+|-).*\s+(count|distinct_count|estimate_batch_distinct_count)\(.*\)(.*)$}] => [:database, :backend, :product_intelligence],
@@ -181,20 +163,6 @@ module Tooling
         %r{\.js\z} => :frontend
       }.freeze
 
-      def local_warning_message
-        "#{MESSAGE_PREFIX} Only the following Danger rules can be run locally: #{LOCAL_RULES.join(', ')}"
-      end
-      module_function :local_warning_message # rubocop:disable Style/AccessModifierDeclarations
-
-      def success_message
-        "#{MESSAGE_PREFIX} No Danger rule violations!"
-      end
-      module_function :success_message # rubocop:disable Style/AccessModifierDeclarations
-
-      def rule_names
-        helper.ci? ? LOCAL_RULES | CI_ONLY_RULES : LOCAL_RULES
-      end
-
       def file_lines(filename)
         read_file(filename).lines(chomp: true)
       end