5 files changed, 75 insertions, 17 deletions

diff --git a/lib/gitlab/ci/pipeline/chain/command.rb b/lib/gitlab/ci/pipeline/chain/command.rb
index 100b9521412..e62d547d862 100644
--- a/lib/gitlab/ci/pipeline/chain/command.rb
+++ b/lib/gitlab/ci/pipeline/chain/command.rb
@@ -10,7 +10,7 @@ module Gitlab
           :origin_ref, :checkout_sha, :after_sha, :before_sha,
           :trigger_request, :schedule, :merge_request,
           :ignore_skip_ci, :save_incompleted,
-          :seeds_block, :variables_attributes
+          :seeds_block, :variables_attributes, :push_options
         ) do
           include Gitlab::Utils::StrongMemoize
 
@@ -54,7 +54,13 @@ module Gitlab
 
           def protected_ref?
             strong_memoize(:protected_ref) do
-              project.protected_for?(ref)
+              project.protected_for?(origin_ref)
+            end
+          end
+
+          def ambiguous_ref?
+            strong_memoize(:ambiguous_ref) do
+              project.repository.ambiguous_ref?(origin_ref)
             end
           end
         end
diff --git a/lib/gitlab/ci/pipeline/chain/skip.rb b/lib/gitlab/ci/pipeline/chain/skip.rb
index b9707d2f8f5..79bbcc1ed1e 100644
--- a/lib/gitlab/ci/pipeline/chain/skip.rb
+++ b/lib/gitlab/ci/pipeline/chain/skip.rb
@@ -8,6 +8,7 @@ module Gitlab
           include ::Gitlab::Utils::StrongMemoize
 
           SKIP_PATTERN = /\[(ci[ _-]skip|skip[ _-]ci)\]/i
+          SKIP_PUSH_OPTION = 'ci.skip'
 
           def perform!
             if skipped?
@@ -16,7 +17,7 @@ module Gitlab
           end
 
           def skipped?
-            !@command.ignore_skip_ci && commit_message_skips_ci?
+            !@command.ignore_skip_ci && (commit_message_skips_ci? || push_option_skips_ci?)
           end
 
           def break?
@@ -32,6 +33,10 @@ module Gitlab
               !!(@pipeline.git_commit_message =~ SKIP_PATTERN)
             end
           end
+
+          def push_option_skips_ci?
+            !!(@command.push_options&.include?(SKIP_PUSH_OPTION))
+          end
         end
       end
     end
diff --git a/lib/gitlab/ci/pipeline/chain/validate/repository.rb b/lib/gitlab/ci/pipeline/chain/validate/repository.rb
index d88851d8245..9c6c2bc8e25 100644
--- a/lib/gitlab/ci/pipeline/chain/validate/repository.rb
+++ b/lib/gitlab/ci/pipeline/chain/validate/repository.rb
@@ -16,6 +16,10 @@ module Gitlab
               unless @command.sha
                 return error('Commit not found')
               end
+
+              if @command.ambiguous_ref?
+                return error('Ref is ambiguous')
+              end
             end
 
             def break?
diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
index a9e361b0b32..b5350f56f9c 100644
--- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
@@ -185,7 +185,8 @@ dependency_scanning:
     - setup_docker
     - dependency_scanning
   artifacts:
-    paths: [gl-dependency-scanning-report.json]
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
   only:
     refs:
       - branches
@@ -595,10 +596,55 @@ rollout 100%:
     fi
   }
 
+  # Extracts variables prefixed with K8S_SECRET_
+  # and creates a Kubernetes secret.
+  #
+  # e.g. If we have the following environment variables:
+  #   K8S_SECRET_A=value1
+  #   K8S_SECRET_B=multi\ word\ value
+  #
+  # Then we will create a secret with the following key-value pairs:
+  #   data:
+  #     A: dmFsdWUxCg==
+  #     B: bXVsdGkgd29yZCB2YWx1ZQo=
+  function create_application_secret() {
+    track="${1-stable}"
+    export APPLICATION_SECRET_NAME=$(application_secret_name "$track")
+
+    bash -c '
+      function k8s_prefixed_variables() {
+        env | sed -n "s/^K8S_SECRET_\(.*\)$/\1/p"
+      }
+
+      kubectl create secret \
+        -n "$KUBE_NAMESPACE" generic "$APPLICATION_SECRET_NAME" \
+        --from-env-file <(k8s_prefixed_variables) -o yaml --dry-run |
+        kubectl replace -n "$KUBE_NAMESPACE" --force -f -
+    '
+  }
+
+  function deploy_name() {
+    name="$CI_ENVIRONMENT_SLUG"
+    track="${1-stable}"
+
+    if [[ "$track" != "stable" ]]; then
+      name="$name-$track"
+    fi
+
+    echo $name
+  }
+
+  function application_secret_name() {
+    track="${1-stable}"
+    name=$(deploy_name "$track")
+
+    echo "${name}-secret"
+  }
+
   function deploy() {
     track="${1-stable}"
     percentage="${2:-100}"
-    name="$CI_ENVIRONMENT_SLUG"
+    name=$(deploy_name "$track")
 
     replicas="1"
     service_enabled="true"
@@ -607,7 +653,6 @@ rollout 100%:
     # if track is different than stable,
     # re-use all attached resources
     if [[ "$track" != "stable" ]]; then
-      name="$name-$track"
       service_enabled="false"
       postgres_enabled="false"
     fi
@@ -620,6 +665,8 @@ rollout 100%:
       secret_name=''
     fi
 
+    create_application_secret "$track"
+
     if [[ -n "$DB_INITIALIZE" && -z "$(helm ls -q "^$name$")" ]]; then
       echo "Deploying first release with database initialization..."
       helm upgrade --install \
@@ -632,6 +679,7 @@ rollout 100%:
         --set image.secrets[0].name="$secret_name" \
         --set application.track="$track" \
         --set application.database_url="$DATABASE_URL" \
+        --set application.secretName="$APPLICATION_SECRET_NAME" \
         --set service.url="$CI_ENVIRONMENT_URL" \
         --set replicaCount="$replicas" \
         --set postgresql.enabled="$postgres_enabled" \
@@ -664,6 +712,7 @@ rollout 100%:
         --set image.secrets[0].name="$secret_name" \
         --set application.track="$track" \
         --set application.database_url="$DATABASE_URL" \
+        --set application.secretName="$APPLICATION_SECRET_NAME" \
         --set service.url="$CI_ENVIRONMENT_URL" \
         --set replicaCount="$replicas" \
         --set postgresql.enabled="$postgres_enabled" \
@@ -683,11 +732,7 @@ rollout 100%:
   function scale() {
     track="${1-stable}"
     percentage="${2-100}"
-    name="$CI_ENVIRONMENT_SLUG"
-
-    if [[ "$track" != "stable" ]]; then
-      name="$name-$track"
-    fi
+    name=$(deploy_name "$track")
 
     replicas=$(get_replicas "$track" "$percentage")
 
@@ -881,15 +926,14 @@ rollout 100%:
 
   function delete() {
     track="${1-stable}"
-    name="$CI_ENVIRONMENT_SLUG"
-
-    if [[ "$track" != "stable" ]]; then
-      name="$name-$track"
-    fi
+    name=$(deploy_name "$track")
 
     if [[ -n "$(helm ls -q "^$name$")" ]]; then
       helm delete --purge "$name"
     fi
+
+    secret_name=$(application_secret_name "$track")
+    kubectl delete secret --ignore-not-found -n "$KUBE_NAMESPACE" "$secret_name"
   }
 
 before_script:
diff --git a/lib/gitlab/ci/templates/Ruby.gitlab-ci.yml b/lib/gitlab/ci/templates/Ruby.gitlab-ci.yml
index 93cb31f48c0..0d12cbc6460 100644
--- a/lib/gitlab/ci/templates/Ruby.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Ruby.gitlab-ci.yml
@@ -24,7 +24,6 @@ before_script:
   - ruby -v                                   # Print out ruby version for debugging
   # Uncomment next line if your rails app needs a JS runtime:
   # - apt-get update -q && apt-get install nodejs -yqq
-  - gem install bundler  --no-ri --no-rdoc    # Bundler is not installed with the image
   - bundle install -j $(nproc) --path vendor  # Install dependencies into ./vendor/ruby
 
 # Optional - Delete if not using `rubocop`