9 files changed, 114 insertions, 121 deletions

diff --git a/.gitlab/ci/cng.gitlab-ci.yml b/.gitlab/ci/cng.gitlab-ci.yml
index 35859a1ab33..bd11042eb11 100644
--- a/.gitlab/ci/cng.gitlab-ci.yml
+++ b/.gitlab/ci/cng.gitlab-ci.yml
@@ -1,4 +1,5 @@
 cloud-native-image:
+  extends: .only:variables-canonical-dot-com
   image: ruby:2.6-alpine
   dependencies: []
   stage: post-test
@@ -12,5 +13,3 @@ cloud-native-image:
   only:
     refs:
       - tags
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index a43be817ce2..e1808281b3a 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -2,12 +2,11 @@
   extends:
     - .default-tags
     - .default-retry
+    - .only:variables-canonical-dot-com
     - .only:changes-docs
   only:
     refs:
       - merge_requests
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
   image: ruby:2.6-alpine
   stage: review
   dependencies: []
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 743f4ec3390..b04a67ed9bb 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -40,6 +40,46 @@
       - merge_requests
       - tags
 
+.only:variables-canonical-dot-com:
+  only:
+    variables:
+      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/  # Matches the gitlab-org group or its subgroups
+
+.only:variables_refs-canonical-dot-com-schedules:
+  extends: .only:variables-canonical-dot-com
+  only:
+    refs:
+      - schedules
+
+.except:refs-deploy:
+  except:
+    refs:
+      - /^\d+-\d+-auto-deploy-\d+$/
+
+.except:refs-master-tags-stable-deploy:
+  except:
+    refs:
+      - master
+      - tags
+      - /^[\d-]+-stable(-ee)?$/
+      - /^\d+-\d+-auto-deploy-\d+$/
+
+.only:kubernetes:
+  only:
+    kubernetes: active
+
+.only-review:
+  extends:
+    - .only:variables-canonical-dot-com
+    - .only:kubernetes
+    - .except:refs-master-tags-stable-deploy
+
+.only-review-schedules:
+  extends:
+    - .only:variables_refs-canonical-dot-com-schedules
+    - .only:kubernetes
+    - .except:refs-deploy
+
 .code-patterns: &code-patterns
   - ".gitlab/ci/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -159,31 +199,6 @@
       - ".dockerignore"
       - "qa/**/*"
 
-.only-review:
-  only:
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
-    kubernetes: active
-  except:
-    refs:
-      - master
-      - /^\d+-\d+-auto-deploy-\d+$/
-      - /^[\d-]+-stable(-ee)?$/
-
-.only-review-schedules:
-  only:
-    refs:
-      - schedules
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
-    kubernetes: active
-
-.only-canonical-schedules:
-  only:
-    refs:
-      - schedules@gitlab-org/gitlab
-      - schedules@gitlab-org/gitlab-foss
-
 .use-pg9:
   services:
     - name: postgres:9.6
diff --git a/.gitlab/ci/pages.gitlab-ci.yml b/.gitlab/ci/pages.gitlab-ci.yml
index a9099d140ff..6a2d3702bdd 100644
--- a/.gitlab/ci/pages.gitlab-ci.yml
+++ b/.gitlab/ci/pages.gitlab-ci.yml
@@ -4,12 +4,11 @@ pages:
     - .default-retry
     - .default-cache
     - .default-only
+    - .only:variables-canonical-dot-com
     - .only:changes-code-backstage-qa
   only:
     refs:
       - master
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
   stage: pages
   dependencies: ["coverage", "karma", "gitlab:assets:compile pull-cache"]
   script:
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index ef407081d50..1c271ad8299 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -31,7 +31,6 @@ qa:selectors-foss:
     - .only-ee-as-if-foss
 
 .package-and-qa-base:
-  extends: .default-only
   image: ruby:2.6-alpine
   stage: qa
   dependencies: []
@@ -40,35 +39,30 @@ qa:selectors-foss:
     - source scripts/utils.sh
     - install_gitlab_gem
     - ./scripts/trigger-build omnibus
-  only:
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/  # Matches the gitlab-org group or its subgroups
 
 package-and-qa-manual:
   extends:
     - .package-and-qa-base
+    - .default-only
+    - .only:variables-canonical-dot-com
+    - .except:refs-deploy
     - .only:changes-code
-  except:
-    refs:
-      - master
-      - /^\d+-\d+-auto-deploy-\d+$/
   when: manual
   needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
 
 package-and-qa:
   extends:
     - .package-and-qa-base
+    - .default-only
+    - .only:variables-canonical-dot-com
+    - .except:refs-master-tags-stable-deploy
     - .only:changes-qa
-  except:
-    refs:
-      - master
-      - /^\d+-\d+-auto-deploy-\d+$/
   needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
   allow_failure: true
 
 schedule:package-and-qa:
   extends:
     - .package-and-qa-base
-    - .only:changes-code-qa
-    - .only-canonical-schedules
+    - .default-only
+    - .only:variables_refs-canonical-dot-com-schedules
   needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index 32cada6ea40..5b1930faabb 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -252,12 +252,7 @@ downtime_check:
   extends:
     - .rake-exec
     - .only:changes-code-backstage
-  except:
-    refs:
-      - master
-      - tags
-    variables:
-      - $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/
+    - .except:refs-master-tags-stable-deploy
   stage: test
   needs: ["setup-test-env"]
   dependencies: ["setup-test-env"]
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 539ae8a2512..01ef38a7341 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -1,14 +1,8 @@
-.except-deploys:
-  except:
-    refs:
-      - /^\d+-\d+-auto-deploy-\d+$/
-
 .review-docker:
   extends:
     - .default-tags
     - .default-retry
     - .default-only
-    - .except-deploys
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine
   services:
     - docker:19.03.0-dind
@@ -23,10 +17,9 @@
 build-qa-image:
   extends:
     - .review-docker
+    - .only:variables-canonical-dot-com
+    - .except:refs-deploy
     - .only:changes-code-qa
-  only:
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
   stage: prepare
   script:
     - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
@@ -40,7 +33,6 @@ build-qa-image:
     - .default-tags
     - .default-retry
     - .default-only
-    - .only:changes-code-qa
   stage: prepare
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
   allow_failure: true
@@ -61,13 +53,14 @@ schedule:review-cleanup:
 manual:review-cleanup:
   extends:
     - .base-review-cleanup
+    - .only:changes-code-qa
   when: manual
 
 .review-build-cng-base:
   extends:
+    - .default-tags
+    - .default-retry
     - .default-only
-    - .only:changes-code-qa
-    - .except-deploys
   image: ruby:2.6-alpine
   stage: review-prepare
   before_script:
@@ -82,6 +75,7 @@ review-build-cng:
   extends:
     - .review-build-cng-base
     - .only-review
+    - .only:changes-code-qa
   needs: ["gitlab:assets:compile pull-cache"]
 
 schedule:review-build-cng:
@@ -90,17 +84,13 @@ schedule:review-build-cng:
     - .only-review-schedules
   needs: ["gitlab:assets:compile pull-cache"]
 
-.review-deploy-base:
+.review-workflow-base:
   extends:
     - .default-tags
     - .default-retry
     - .default-only
-    - .only:changes-code-qa
-    - .except-deploys
-  stage: review
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
   dependencies: []
-  allow_failure: true
   variables:
     HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
     DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
@@ -113,6 +103,11 @@ schedule:review-build-cng:
     name: review/${CI_COMMIT_REF_NAME}
     url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
     on_stop: review-stop
+
+.review-deploy-base:
+  extends: .review-workflow-base
+  stage: review
+  allow_failure: true
   before_script:
     - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
     - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
@@ -148,6 +143,7 @@ review-deploy:
   extends:
     - .review-deploy-base
     - .only-review
+    - .only:changes-code-qa
   needs: ["review-build-cng"]
 
 schedule:review-deploy:
@@ -156,9 +152,8 @@ schedule:review-deploy:
     - .only-review-schedules
   needs: ["schedule:review-build-cng"]
 
-review-stop:
-  extends: review-deploy
-  when: manual
+.base-review-stop:
+  extends: .review-workflow-base
   environment:
     action: stop
   variables:
@@ -171,20 +166,20 @@ review-stop:
     - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/utils.sh
     - source utils.sh
     - source review-apps.sh
-  script:
-    - delete_release
-  artifacts:
-    paths: []
 
 review-cleanup-failed-deployment:
-  extends: review-stop
+  extends: .base-review-stop
   stage: prepare
-  when: on_success
-  needs: []
-  allow_failure: false
   script:
     - delete_failed_release
 
+review-stop:
+  extends: .base-review-stop
+  when: manual
+  allow_failure: true
+  script:
+    - delete_release
+
 .review-qa-base:
   extends:
     - .review-docker
@@ -234,9 +229,7 @@ review-qa-all:
     - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation
 
 .review-performance-base:
-  extends:
-    - .review-docker
-    - .only:changes-code-qa
+  extends: .review-docker
   stage: qa
   allow_failure: true
   before_script:
@@ -259,6 +252,7 @@ review-performance:
   extends:
     - .review-performance-base
     - .only-review
+    - .only:changes-code-qa
   needs: ["review-deploy"]
   dependencies: ["review-deploy"]
   before_script:
@@ -288,9 +282,8 @@ parallel-spec-reports:
   extends:
     - .default-tags
     - .default-only
-    - .only:changes-code-qa
     - .only-review
-    - .except-deploys
+    - .only:changes-code-qa
   image: ruby:2.6-alpine
   stage: post-test
   dependencies: ["review-qa-all"]
@@ -321,18 +314,13 @@ danger-review:
     - .default-retry
     - .default-cache
     - .default-only
+    - .except:refs-master-tags-stable-deploy
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:danger
   stage: test
   dependencies: []
   only:
     variables:
       - $DANGER_GITLAB_API_TOKEN
-  except:
-    refs:
-      - master
-    variables:
-      - $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/
-      - $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/
   script:
     - git version
     - node --version
diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml
index 605f431b5ff..24267584393 100644
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -6,6 +6,7 @@ cache gems:
     - .default-retry
     - .default-cache
     - .default-before_script
+    - .only:variables-canonical-dot-com
     - .only:changes-code-backstage-qa
   stage: test
   dependencies: ["setup-test-env"]
@@ -21,8 +22,6 @@ cache gems:
     refs:
       - master
       - tags
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org"
 
 .minimal-job:
   extends:
diff --git a/doc/development/pipelines.md b/doc/development/pipelines.md
index 8d83cea8c7b..764bd68000d 100644
--- a/doc/development/pipelines.md
+++ b/doc/development/pipelines.md
@@ -39,7 +39,8 @@ The current stages are:
 ## Default image
 
 The default image is currently
-`gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.11-git-2.22-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33`.
+`registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.11-git-2.22-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33`.
+
 It includes Ruby 2.6.3, Go 1.11, Git 2.22, Chrome 73, Node 12, Yarn 1.16,
 PostgreSQL 9.6, and Graphics Magick 1.3.33.
 
@@ -49,24 +50,13 @@ project, which is push-mirrored to <https://dev.gitlab.org/gitlab/gitlab-build-i
 for redundancy.
 
 The current version of the build images can be found in the
-["Used by GitLab CE/EE section"](https://gitlab.com/gitlab-org/gitlab-build-images/blob/master/.gitlab-ci.yml).
+["Used by GitLab section"](https://gitlab.com/gitlab-org/gitlab-build-images/blob/master/.gitlab-ci.yml).
 
 ## Default variables
 
 In addition to the [predefined variables](../ci/variables/predefined_variables.md),
-each pipeline includes the following [variables](../ci/variables/README.md):
-
-- `RAILS_ENV: "test"`
-- `NODE_ENV: "test"`
-- `SIMPLECOV: "true"`
-- `GIT_DEPTH: "50"`
-- `GIT_SUBMODULE_STRATEGY: "none"`
-- `GET_SOURCES_ATTEMPTS: "3"`
-- `KNAPSACK_RSPEC_SUITE_REPORT_PATH: knapsack/${CI_PROJECT_NAME}/rspec_report-master.json`
-- `FLAKY_RSPEC_SUITE_REPORT_PATH: rspec_flaky/report-suite.json`
-- `BUILD_ASSETS_IMAGE: "false"`
-- `ES_JAVA_OPTS: "-Xms256m -Xmx256m"`
-- `ELASTIC_URL: "http://elastic:changeme@docker.elastic.co-elasticsearch-elasticsearch:9200"`
+each pipeline includes default variables defined in
+<https://gitlab.com/gitlab-org/gitlab/blob/master/.gitlab-ci.yml>.
 
 ## Common job definitions
 
@@ -86,22 +76,35 @@ These common definitions are:
   Ruby/Rails and frontend tasks.
 - `.default-only`: Restricts the cases where a job is created. This currently
   includes `master`, `/^[\d-]+-stable(-ee)?$/` (stable branches),
-  `/^\d+-\d+-auto-deploy-\d+$/` (security branches), `merge_requests`, `tags`.
+  `/^\d+-\d+-auto-deploy-\d+$/` (auto-deploy branches), `/^security\//` (security branches), `merge_requests`, `tags`.
   Note that jobs won't be created for branches with this default configuration.
-- `.only-review`: Only creates a job for the `gitlab-org` namespace and if
-  Kubernetes integration is available. Also, prevents a job from being created
-  for `master` and auto-deploy branches.
-- `.only-review-schedules`: Same as `.only-review` but also restrict a job to
-  only run for [schedules](../user/project/pipelines/schedules.md).
-- `.only-canonical-schedules`: Only creates a job for scheduled pipelines in
-  the `gitlab-org/gitlab` and `gitlab-org/gitlab-foss` projects
+- `.only:variables-canonical-dot-com`: Only creates a job if the project is
+  located under <https://gitlab.com/gitlab-org>.
+- `.only:variables_refs-canonical-dot-com-schedules`: Same as
+  `.only:variables-canonical-dot-com` but add the condition that pipeline is scheduled.
+- `.except:refs-deploy`: Don't create a job if the `ref` is an auto-deploy branch.
+- `.except:refs-master-tags-stable-deploy`: Don't create a job if the `ref` is one of:
+  - `master`
+  - a tag
+  - a stable branch
+  - an auto-deploy branch
+- `.only:kubernetes`: Only creates a job if a Kubernetes integration is enabled
+  on the project.
+- `.only-review`: This extends from:
+  - `.only:variables-canonical-dot-com`
+  - `.only:kubernetes`
+  - `.except:refs-master-tags-stable-deploy`
+- `.only-review-schedules`: This extends from:
+  - `.only:variables_refs-canonical-dot-com-schedules`
+  - `.only:kubernetes`
+  - `.except:refs-deploy`
 - `.use-pg9`: Allows a job to use the `postgres:9.6` and `redis:alpine` services.
 - `.use-pg10`: Allows a job to use the `postgres:10.9` and `redis:alpine` services.
 - `.use-pg9-ee`: Same as `.use-pg9` but also use the
   `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services.
 - `.use-pg10-ee`: Same as `.use-pg10` but also use the
   `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services.
-- `.only-ee`: Only creates a job for the `gitlab` project.
+- `.only-ee`: Only creates a job for the `gitlab` or `gitlab-ee` project.
 - `.only-ee-as-if-foss`: Same as `.only-ee` but simulate the FOSS project by
   setting the `FOSS_ONLY='1'` environment variable.
 
@@ -112,11 +115,13 @@ the cases where it should be created
 [based on the changes](../ci/yaml/README.md#onlychangesexceptchanges)
 from a commit or MR by extending from the following CI definitions:
 
-- `.only-code-changes`: Allows a job to only be created upon code-related changes.
-- `.only-qa-changes`: Allows a job to only be created upon QA-related changes.
-- `.only-docs-changes`: Allows a job to only be created upon docs-related changes.
-- `.only-code-qa-changes`: Allows a job to only be created upon code-related or QA-related changes.
-- `.only-graphql-changes`: Allows a job to only be created upon graphql-related changes.
+- `.only:changes-code`: Allows a job to only be created upon code-related changes.
+- `.only:changes-qa`: Allows a job to only be created upon QA-related changes.
+- `.only:changes-docs`: Allows a job to only be created upon docs-related changes.
+- `.only:changes-graphql`: Allows a job to only be created upon GraphQL-related changes.
+- `.only:changes-code-backstage`: Allows a job to only be created upon code-related or backstage-related (e.g. Danger, RuboCop, specs) changes.
+- `.only:changes-code-qa`: Allows a job to only be created upon code-related or QA-related changes.
+- `.only:changes-code-backstage-qa`: Allows a job to only be created upon code-related, backstage-related (e.g. Danger, RuboCop, specs) or QA-related changes.
 
 **See <https://gitlab.com/gitlab-org/gitlab/blob/master/.gitlab/ci/global.gitlab-ci.yml>
 for the list of exact patterns.**