diff options
-rw-r--r-- | app/controllers/projects/settings/ci_cd_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects_controller.rb | 1 | ||||
-rw-r--r-- | app/models/ci/build.rb | 2 | ||||
-rw-r--r-- | app/models/project.rb | 1 | ||||
-rw-r--r-- | app/models/project_ci_cd_setting.rb | 1 | ||||
-rw-r--r-- | app/views/projects/settings/ci_cd/_form.html.haml | 8 | ||||
-rw-r--r-- | db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb | 9 | ||||
-rw-r--r-- | db/schema_migrations/20220507204024 | 1 | ||||
-rw-r--r-- | db/structure.sql | 3 | ||||
-rw-r--r-- | doc/ci/caching/index.md | 22 | ||||
-rw-r--r-- | lib/api/entities/project.rb | 1 | ||||
-rw-r--r-- | locale/gitlab.pot | 6 | ||||
-rw-r--r-- | spec/models/ci/build_spec.rb | 26 | ||||
-rw-r--r-- | spec/requests/api/project_attributes.yml | 1 |
14 files changed, 79 insertions, 5 deletions
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb index 3f4d26bb6ec..d49afd565f7 100644 --- a/app/controllers/projects/settings/ci_cd_controller.rb +++ b/app/controllers/projects/settings/ci_cd_controller.rb @@ -87,7 +87,7 @@ module Projects def permitted_project_params [ :runners_token, :builds_enabled, :build_allow_git_fetch, - :build_timeout_human_readable, :build_coverage_regex, :public_builds, + :build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches, :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled, auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy], ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled] diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 6cdfdfa9e2f..8d57b95ad87 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController :initialize_with_sast, :initialize_with_readme, :autoclose_referenced_issues, + :ci_separated_caches, :suggestion_commit_message, :packages_enabled, :service_desk_enabled, diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb index a8ad55fd5a4..e8b4751a687 100644 --- a/app/models/ci/build.rb +++ b/app/models/ci/build.rb @@ -911,6 +911,8 @@ module Ci end end + return cache unless project.ci_separated_caches + type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected' cache.map do |entry| entry.merge(key: "#{entry[:key]}-#{type_suffix}") diff --git a/app/models/project.rb b/app/models/project.rb index f7182d1645c..b27f91dcdd5 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -471,6 +471,7 @@ class Project < ApplicationRecord delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true + delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?, diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb index 28a493cae33..bb0fdaa29a1 100644 --- a/app/models/project_ci_cd_setting.rb +++ b/app/models/project_ci_cd_setting.rb @@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord allow_nil: true default_value_for :forward_deployment_enabled, true + default_value_for :separated_caches, true chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval diff --git a/app/views/projects/settings/ci_cd/_form.html.haml b/app/views/projects/settings/ci_cd/_form.html.haml index 5ef56cda6d2..28aa14bf16b 100644 --- a/app/views/projects/settings/ci_cd/_form.html.haml +++ b/app/views/projects/settings/ci_cd/_form.html.haml @@ -1,6 +1,7 @@ - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer' - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer' -- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer' +- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer' +- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer' .row.gl-mt-3 .col-lg-12 @@ -25,6 +26,11 @@ help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe .form-group + = f.gitlab_ui_checkbox_component :ci_separated_caches, + s_("CICD|Use separate caches for protected branches"), + help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe + + .form-group = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold' = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml' %p.form-text.text-muted diff --git a/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb b/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb new file mode 100644 index 00000000000..39daf9fe296 --- /dev/null +++ b/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0] + enable_lock_retries! + + def change + add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false + end +end diff --git a/db/schema_migrations/20220507204024 b/db/schema_migrations/20220507204024 new file mode 100644 index 00000000000..510badf30ea --- /dev/null +++ b/db/schema_migrations/20220507204024 @@ -0,0 +1 @@ +8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index c226da842c3..eaae14bebb8 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings ( keep_latest_artifact boolean DEFAULT true NOT NULL, restrict_user_defined_variables boolean DEFAULT false NOT NULL, job_token_scope_enabled boolean DEFAULT false NOT NULL, - runner_token_expiration_interval integer + runner_token_expiration_interval integer, + separated_caches boolean DEFAULT true NOT NULL ); CREATE SEQUENCE project_ci_cd_settings_id_seq diff --git a/doc/ci/caching/index.md b/doc/ci/caching/index.md index 777bbf6053f..bb4e7aecd08 100644 --- a/doc/ci/caching/index.md +++ b/doc/ci/caching/index.md @@ -31,7 +31,7 @@ can't link to files outside it. - Subsequent pipelines can use the cache. - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical. - Different projects cannot share the cache. -- Protected and non-protected branches do not share the cache. +- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches). ### Artifacts @@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep If you use cache and artifacts to store the same path in your jobs, the cache might be overwritten because caches are restored before artifacts. -### Segregation of caches between protected and non-protected branches +#### Cache key names > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0. @@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys: | `main` | `main-protected` | | `feature` | `feature-non_protected` | +##### Use the same cache for all branches + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0. + +If you do not want to use [cache key names](#cache-key-names), +you can have all branches (protected and unprotected) use the same cache. + +The cache separation with [cache key names](#cache-key-names) is a security feature +and should only be disabled in an environment where all users with Developer role are highly trusted. + +To use the same cache for all branches: + +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **General pipelines**. +1. Clear the **Use separate caches for protected branches** checkbox. +1. Select **Save changes**. + ### How archiving and extracting works This example shows two jobs in two consecutive stages: diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb index 60cc5167c41..7fec4bf5276 100644 --- a/lib/api/entities/project.rb +++ b/lib/api/entities/project.rb @@ -99,6 +99,7 @@ module API expose :ci_default_git_depth expose :ci_forward_deployment_enabled expose :ci_job_token_scope_enabled + expose :ci_separated_caches expose :public_builds, as: :public_jobs expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options| project.build_allow_git_fetch ? 'fetch' : 'clone' diff --git a/locale/gitlab.pot b/locale/gitlab.pot index fa3357c723f..edad17df272 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -6660,6 +6660,12 @@ msgstr "" msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found." msgstr "" +msgid "CICD|Unprotected branches will not have access to the cache from protected branches." +msgstr "" + +msgid "CICD|Use separate caches for protected branches" +msgstr "" + msgid "CICD|group enabled" msgstr "" diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb index 12e65974270..e37221bc1c7 100644 --- a/spec/models/ci/build_spec.rb +++ b/spec/models/ci/build_spec.rb @@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/))) end end + + context 'when separated caches are disabled' do + before do + allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false) + end + + context 'running on protected ref' do + before do + allow(build.pipeline).to receive(:protected_ref?).and_return(true) + end + + it 'is expected to have no type suffix' do + is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')]) + end + end + + context 'running on not protected ref' do + before do + allow(build.pipeline).to receive(:protected_ref?).and_return(false) + end + + it 'is expected to have no type suffix' do + is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')]) + end + end + end end context 'when project has jobs_cache_index' do diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml index fbcaa404edb..eb6f81c2810 100644 --- a/spec/requests/api/project_attributes.yml +++ b/spec/requests/api/project_attributes.yml @@ -99,6 +99,7 @@ ci_cd_settings: default_git_depth: ci_default_git_depth forward_deployment_enabled: ci_forward_deployment_enabled job_token_scope_enabled: ci_job_token_scope_enabled + separated_caches: ci_separated_caches build_import_state: # import_state unexposed_attributes: |