Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-10-26 09:11:26 +00:00
parent 5fe91268ac
commit 51c18a25f2
19 changed files with 140 additions and 14 deletions

View File

@ -7,7 +7,7 @@ include:
- local: .gitlab/ci/package-and-test/rules.gitlab-ci.yml
- local: .gitlab/ci/package-and-test/variables.gitlab-ci.yml
- project: gitlab-org/quality/pipeline-common
ref: 1.3.0
ref: 1.5.0
file:
- /ci/base.gitlab-ci.yml
- /ci/allure-report.yml

View File

@ -1,6 +1,6 @@
include:
- project: gitlab-org/quality/pipeline-common
ref: 1.3.0
ref: 1.5.0
file:
- /ci/base.gitlab-ci.yml
- /ci/allure-report.yml
@ -140,7 +140,7 @@ e2e-test-report:
variables:
ALLURE_JOB_NAME: e2e-review-qa
ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
ALLURE_RESULTS_GLOB: qa/tmp/allure-results/*
ALLURE_RESULTS_GLOB: qa/tmp/allure-results
ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
GIT_STRATEGY: none

View File

@ -1 +1 @@
f94d4abfae5a3ee09caacd1b2dd28dca875eafa0
aaf6f16ca40fdb671858e38662a72d96d51987df

View File

@ -22,7 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
condition(:migration_bot, scope: :user) { @user.migration_bot? }
condition(:migration_bot, scope: :user) { @user&.migration_bot? }
condition(:can_read_group_member) { can_read_group_member? }
desc "User is a project bot"

View File

@ -0,0 +1,18 @@
# frozen_string_literal: true
class AddIndexForCommonFinderQueryDescWithNamespaceId < Gitlab::Database::Migration[2.0]
INDEX_NAME = 'index_group_vulnerability_reads_common_finder_query_desc'
disable_ddl_transaction!
def up
add_concurrent_index :vulnerability_reads,
[:namespace_id, :state, :report_type, :severity, :vulnerability_id],
name: INDEX_NAME,
order: { severity: :desc, vulnerability_id: :desc }
end
def down
remove_concurrent_index_by_name :vulnerability_reads, INDEX_NAME
end
end

View File

@ -0,0 +1 @@
0b7727e942f6e3fa2e1b0ed9e22c504a64aceac19adf25f126baba587db4b764

View File

@ -29113,6 +29113,8 @@ CREATE INDEX index_group_stages_on_stage_event_hash_id ON analytics_cycle_analyt
CREATE UNIQUE INDEX index_group_user_callouts_feature ON user_group_callouts USING btree (user_id, feature_name, group_id);
CREATE INDEX index_group_vulnerability_reads_common_finder_query_desc ON vulnerability_reads USING btree (namespace_id, state, report_type, severity DESC, vulnerability_id DESC);
CREATE UNIQUE INDEX index_group_wiki_repositories_on_disk_path ON group_wiki_repositories USING btree (disk_path);
CREATE INDEX index_group_wiki_repositories_on_shard_id ON group_wiki_repositories USING btree (shard_id);

View File

@ -6,7 +6,7 @@
# For a list of all options, see https://vale.sh/docs/topics/styles/
extends: existence
message: 'Links to subheadings in GitLab docs must be in lower-case: "%s"'
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
level: error
scope: raw
raw:

View File

@ -6,7 +6,7 @@
# For a list of all options, see https://vale.sh/docs/topics/styles/
extends: existence
message: 'Link "%s" must link directly to a file and use the .md file extension.'
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
level: error
scope: raw
raw:

View File

@ -6,8 +6,8 @@
# For a list of all options, see https://vale.sh/docs/topics/styles/
extends: existence
message: 'Link "%s" must not start with "./".'
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
level: error
scope: raw
raw:
- '\[.+\]\(\.\/.*?\)'
- '\[[^\]]+\]\(\.\/.*?\)'

View File

@ -6,7 +6,7 @@
# For a list of all options, see https://vale.sh/docs/topics/styles/
extends: existence
message: 'Relative links must not include a double slash.'
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
level: error
scope: raw
raw:

View File

@ -66,6 +66,7 @@ This action removes the group. It also adds a background job to delete all proje
Specifically:
- In [GitLab 12.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [GitLab Premium](https://about.gitlab.com/pricing/premium/) or higher tiers, this action adds a background job to mark a group for deletion. By default, the job schedules the deletion 7 days in the future. You can modify this waiting period through the [instance settings](../admin_area/settings/visibility_and_access_controls.md#deletion-protection).
- In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/39504), if the user who sets up the deletion is removed from the group before the
deletion happens, the job is cancelled, and the group is no longer scheduled for deletion.
@ -262,6 +263,12 @@ If you are changing the path so it can be claimed by another group or user,
you must rename the group too. Both names and paths must
be unique.
After you change the group path, the new group path is a new namespace and you must update the existing project URL in the following resources:
- [Include statements](../../ci/yaml/includes.md#include-a-single-configuration-file).
- Docker image references in CI files.
- Variables that specify a project or namespace.
To retain ownership of the original namespace and protect the URL redirects,
create a new group and transfer projects to it instead.

View File

@ -177,9 +177,13 @@ that the request is legitimate.
## Filter push events by branch
Push events can be filtered by branch using a branch name or wildcard pattern
to limit which push events are sent to your webhook endpoint. By default,
all push events are sent to your webhook endpoint. You can configure branch filtering
You can filter push events by branch. Use one of the following options to filter which push events are sent to your webhook endpoint:
- **All branches**: push events from all branches.
- **Wildcard pattern**: push events from a branch that matches a wildcard pattern (for example, `*-stable` or `production/*`).
- **Regular expression**: push events from a branch that matches a regular expression (for example, `(feature|hotfix)/*`).
You can configure branch filtering
in the [webhook settings](#configure-a-webhook-in-gitlab) in your project.
## How image URLs are displayed in the webhook body

View File

@ -45,7 +45,11 @@ module QA
end
it 'does not read from the unhealthy node',
testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834' do
testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834',
quarantine: {
issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/378174',
type: :flaky
} do
pre_read_data = praefect_manager.query_read_distribution
read_from_project(project, number_of_reads_per_loop * 10)

View File

@ -3,8 +3,20 @@
require 'spec_helper'
RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
include Ci::TemplateHelpers
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
describe 'AUTO_BUILD_IMAGE_VERSION' do
it 'corresponds to a published image in the registry' do
registry = "https://#{template_registry_host}"
repository = "gitlab-org/cluster-integration/auto-build-image"
reference = YAML.safe_load(template.content).dig('variables', 'AUTO_BUILD_IMAGE_VERSION')
expect(public_image_exist?(registry, repository, reference)).to be true
end
end
describe 'the created pipeline' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { project.first_owner }

View File

@ -3,6 +3,8 @@
require 'spec_helper'
RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
include Ci::TemplateHelpers
subject(:template) do
<<~YAML
stages:
@ -26,6 +28,17 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
YAML
end
describe 'AUTO_DEPLOY_IMAGE_VERSION' do
it 'corresponds to a published image in the registry' do
template = Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Deploy')
registry = "https://#{template_registry_host}"
repository = "gitlab-org/cluster-integration/auto-deploy-image"
reference = YAML.safe_load(template.content, aliases: true).dig('variables', 'AUTO_DEPLOY_IMAGE_VERSION')
expect(public_image_exist?(registry, repository, reference)).to be true
end
end
describe 'the created pipeline' do
let_it_be(:project, refind: true) { create(:project, :repository) }

View File

@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do
it_behaves_like 'deploy token does not get confused with user' do
let(:user_id) { migration_bot.id }
end
context 'with no user' do
let(:current_user) { nil }
it :aggregate_failures do
expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens)
expect_disallowed(*guest_permissions)
expect_disallowed(*reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
end
end
describe 'private nested group use the highest access level from the group and inherited permissions' do

View File

@ -5,6 +5,51 @@ module Ci
def template_registry_host
'registry.gitlab.com'
end
def public_image_exist?(registry, repository, image)
public_image_manifest(registry, repository, image).present?
end
def public_image_manifest(registry, repository, reference)
token = public_image_repository_token(registry, repository)
response = with_net_connect_allowed do
Gitlab::HTTP.get(image_manifest_url(registry, repository, reference),
headers: { 'Authorization' => "Bearer #{token}" })
end
return unless response.success?
Gitlab::Json.parse(response.body)
end
def public_image_repository_token(registry, repository)
@public_image_repository_tokens ||= {}
@public_image_repository_tokens[[registry, repository]] ||=
begin
response = with_net_connect_allowed do
Gitlab::HTTP.get(image_manifest_url(registry, repository, 'latest'))
end
return unless response.unauthorized?
www_authenticate = response.headers['www-authenticate']
return unless www_authenticate
realm, service, scope = www_authenticate.split(',').map { |s| s[/\w+="(.*)"/, 1] }
token_response = with_net_connect_allowed do
Gitlab::HTTP.get(realm, query: { service: service, scope: scope })
end
return unless token_response.success?
token_response['token']
end
end
def image_manifest_url(registry, repository, reference)
"#{registry}/v2/#{repository}/manifests/#{reference}"
end
end
end

View File

@ -15,6 +15,13 @@ def webmock_allowed_hosts
end.compact.uniq
end
def with_net_connect_allowed
WebMock.allow_net_connect!
yield
ensure
webmock_enable!
end
# This prevents Selenium/WebMock from spawning thousands of connections
# while waiting for an element to appear via Capybara's find:
# https://github.com/teamcapybara/capybara/issues/2322#issuecomment-619321520