kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-06-22 06:08:52 +00:00
parent 0c924987e1
commit 57b795ee00
53 changed files with 1337 additions and 1169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/emoji/awards_app/store/actions.js
View File

@ -14,8 +14,6 @@ import {
export const setInitialData = ({ commit }, data) => commit(SET_INITIAL_DATA, data);
export const fetchAwards = async ({ commit, dispatch, state }, page = '1') => {
if (!window.gon?.current_user_id) return;
try {
const { data, headers } = await axios.get(joinPaths(gon.relative_url_root || '', state.path), {
params: { per_page: 100, page },

11
app/controllers/import/bitbucket_controller.rb
View File

@ -18,14 +18,14 @@ class Import::BitbucketController < Import::BaseController
if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state])
go_to_bitbucket_for_permissions
else
response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url)
response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url(namespace_id: params[:namespace_id]))
session[:bitbucket_token] = response.token
session[:bitbucket_expires_at] = response.expires_at
session[:bitbucket_expires_in] = response.expires_in
session[:bitbucket_refresh_token] = response.refresh_token
redirect_to status_import_bitbucket_url
redirect_to status_import_bitbucket_url(namespace_id: params[:namespace_id])
end
end
@ -83,11 +83,6 @@ class Import::BitbucketController < Import::BaseController
:bitbucket
end
override :provider_url
def provider_url
provider.url
end
private
def oauth_client
@ -121,7 +116,7 @@ class Import::BitbucketController < Import::BaseController
def go_to_bitbucket_for_permissions
state = SecureRandom.base64(64)
session[:bitbucket_auth_state] = state
redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url, state: state)
redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url(namespace_id: params[:namespace_id]), state: state)
end
def bitbucket_unauthorized(exception)

2
app/controllers/import/gitea_controller.rb
View File

@ -7,7 +7,7 @@ class Import::GiteaController < Import::GithubController
def new
if session[access_token_key].present? && provider_url.present?
redirect_to status_import_url(namespace_id: params[:namespace_id])
redirect_to status_import_url
end
end

16
app/controllers/import/github_controller.rb
View File

@ -23,25 +23,24 @@ class Import::GithubController < Import::BaseController
if !ci_cd_only? && github_import_configured? && logged_in_with_provider?
go_to_provider_for_permissions
elsif session[access_token_key]
redirect_to status_import_url(namespace_id: params[:namespace_id])
redirect_to status_import_url
end
end
def callback
auth_state = session.delete(auth_state_key)
namespace_id = session.delete(:namespace_id)
if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state])
provider_unauthorized
else
session[access_token_key] = get_token(params[:code])
redirect_to status_import_url(namespace_id: namespace_id)
redirect_to status_import_url
end
end
def personal_access_token
session[access_token_key] = params[:personal_access_token]&.strip
redirect_to status_import_url(namespace_id: params[:namespace_id].presence)
redirect_to status_import_url
end
def status
@ -205,15 +204,15 @@ class Import::GithubController < Import::BaseController
end
def new_import_url
public_send("new_import_#{provider_name}_url", extra_import_params) # rubocop:disable GitlabSecurity/PublicSend
public_send("new_import_#{provider_name}_url", extra_import_params.merge({ namespace_id: params[:namespace_id] })) # rubocop:disable GitlabSecurity/PublicSend
end
def status_import_url(namespace_id: nil)
public_send("status_import_#{provider_name}_url", extra_import_params.merge({ namespace_id: namespace_id })) # rubocop:disable GitlabSecurity/PublicSend
def status_import_url
public_send("status_import_#{provider_name}_url", extra_import_params.merge({ namespace_id: params[:namespace_id].presence })) # rubocop:disable GitlabSecurity/PublicSend
end
def callback_import_url
public_send("users_import_#{provider_name}_callback_url", extra_import_params) # rubocop:disable GitlabSecurity/PublicSend
public_send("users_import_#{provider_name}_callback_url", extra_import_params.merge({ namespace_id: params[:namespace_id] })) # rubocop:disable GitlabSecurity/PublicSend
end
def provider_unauthorized
@ -255,7 +254,6 @@ class Import::GithubController < Import::BaseController
def provider_auth
if !ci_cd_only? && session[access_token_key].blank?
session[:namespace_id] = params[:namespace_id]
go_to_provider_for_permissions
end
end

6
app/controllers/import/gitlab_controller.rb
View File

@ -12,8 +12,8 @@ class Import::GitlabController < Import::BaseController
rescue_from OAuth2::Error, with: :gitlab_unauthorized
def callback
session[:gitlab_access_token] = client.get_token(params[:code], callback_import_gitlab_url)
redirect_to status_import_gitlab_url
session[:gitlab_access_token] = client.get_token(params[:code], callback_import_gitlab_url(namespace_id: params[:namespace_id]))
redirect_to status_import_gitlab_url(namespace_id: params[:namespace_id])
end
# We need to re-expose controller's internal method 'status' as action.
@ -79,7 +79,7 @@ class Import::GitlabController < Import::BaseController
end
def go_to_gitlab_for_permissions
redirect_to client.authorize_url(callback_import_gitlab_url)
redirect_to client.authorize_url(callback_import_gitlab_url(namespace_id: params[:namespace_id]))
end
def gitlab_unauthorized

2
app/views/import/bitbucket/status.html.haml
View File

@ -6,4 +6,4 @@
= sprite_icon('bitbucket', css_class: 'gl-mr-2')
= _('Import projects from Bitbucket')
= render 'import/githubish_status', provider: 'bitbucket'
= render 'import/githubish_status', provider: 'bitbucket', default_namespace: @namespace

2
app/views/import/gitlab/status.html.haml
View File

@ -3,4 +3,4 @@
= sprite_icon('heart', css_class: 'gl-vertical-align-middle')
= _('Import projects from GitLab.com')
= render 'import/githubish_status', provider: 'gitlab', filterable: false
= render 'import/githubish_status', provider: 'gitlab', filterable: false, default_namespace: @namespace

4
app/views/projects/_import_project_pane.html.haml
View File

@ -24,7 +24,7 @@
- if bitbucket_import_enabled?
%div
= link_to status_import_bitbucket_path, class: "gl-button btn-default btn import_bitbucket js-import-project-btn #{'js-how-to-import-link' unless bitbucket_import_configured?}",
= link_to status_import_bitbucket_path(namespace_id: namespace_id), class: "gl-button btn-default btn import_bitbucket js-import-project-btn #{'js-how-to-import-link' unless bitbucket_import_configured?}",
data: { modal_title: _("Import projects from Bitbucket"), modal_message: import_from_bitbucket_message, platform: 'bitbucket_cloud', **tracking_attrs_data(track_label, 'click_button', 'bitbucket_cloud') } do
.gl-button-icon
= sprite_icon('bitbucket')
@ -38,7 +38,7 @@
%div
- if gitlab_import_enabled?
%div
= link_to status_import_gitlab_path, class: "gl-button btn-default btn import_gitlab js-import-project-btn #{'js-how-to-import-link' unless gitlab_import_configured?}",
= link_to status_import_gitlab_path(namespace_id: namespace_id), class: "gl-button btn-default btn import_gitlab js-import-project-btn #{'js-how-to-import-link' unless gitlab_import_configured?}",
data: { modal_title: _("Import projects from GitLab.com"), modal_message: import_from_gitlab_message, platform: 'gitlab_com', **tracking_attrs_data(track_label, 'click_button', 'gitlab_com') } do
.gl-button-icon
= sprite_icon('tanuki')

20
doc/api/award_emoji.md
View File

@ -23,7 +23,10 @@ See [Award Emoji on Comments](#award-emoji-on-comments) for information on using
### List an awardable's award emojis
Get a list of all award emojis for a specified awardable.
> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/335068) in GitLab 15.1 to allow unauthenticated access to public awardables.
Get a list of all award emojis for a specified awardable. This endpoint can
be accessed without authentication if the awardable is publicly accessible.
```plaintext
GET /projects/:id/issues/:issue_iid/award_emoji
@ -85,7 +88,10 @@ Example response:
### Get single award emoji
Get a single award emoji from an issue, snippet, or merge request.
> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/335068) in GitLab 15.1 to allow unauthenticated access to public awardables.
Get a single award emoji from an issue, snippet, or merge request. This endpoint can
be accessed without authentication if the awardable is publicly accessible.
```plaintext
GET /projects/:id/issues/:issue_iid/award_emoji/:award_id
@ -206,7 +212,10 @@ adapted to comments on merge requests and snippets. Therefore, you have to repla
### List a comment's award emojis
Get all award emojis for a comment (note).
> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/335068) in GitLab 15.1 to allow unauthenticated access to public comments.
Get all award emojis for a comment (note). This endpoint can
be accessed without authentication if the comment is publicly accessible.
```plaintext
GET /projects/:id/issues/:issue_iid/notes/:note_id/award_emoji
@ -251,7 +260,10 @@ Example response:
### Get an award emoji for a comment
Get a single award emoji for a comment (note).
> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/335068) in GitLab 15.1 to allow unauthenticated access to public comments.
Get a single award emoji for a comment (note). This endpoint can
be accessed without authentication if the comment is publicly accessible.
```plaintext
GET /projects/:id/issues/:issue_iid/notes/:note_id/award_emoji/:award_id

20
doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
View File

@ -223,7 +223,7 @@ These variables are injected into the pipeline jobs and can access the ECS API.
|`AWS_SECRET_ACCESS_KEY`|`<Secret access key of the deployer>`| For authenticating `aws` CLI. |
|`AWS_DEFAULT_REGION`|`us-east-2`| For authenticating `aws` CLI. |
|`CI_AWS_ECS_CLUSTER`|`ecs-demo`| The ECS cluster is accessed by `production_ecs` job. |
|`CI_AWS_ECS_SERVICE`|`ecs_demo`| The ECS service of the cluster is updated by `production_ecs` job. |
|`CI_AWS_ECS_SERVICE`|`ecs_demo`| The ECS service of the cluster is updated by `production_ecs` job. Ensure that this variable is scoped to the appropriate environment (`production`, `staging`, `review/*`). |
|`CI_AWS_ECS_TASK_DEFINITION`|`ecs_demo`| The ECS task definition is updated by `production_ecs` job. |
### Make a change to the demo application
@ -246,6 +246,24 @@ NOTE:
ECS deploy jobs wait for the rollout to complete before exiting. To disable this behavior,
set `CI_AWS_ECS_WAIT_FOR_ROLLOUT_COMPLETE_DISABLED` to a non-empty value.
## Set up Review Apps
In order to use [Review Apps](../../../development/testing_guide/review_apps.md) with ECS, you should create another
[service](#create-an-ecs-service) and specify its name using the `CI_AWS_ECS_SERVICE` variable scoped to `review/*`.
Since this service is shared by all review apps, there is a limitation that only one Review App can be deployed at a time.
## Set up Security Testing
### Configure SAST
Using [SAST](../../../user/application_security/sast/index.md) with ECS requires no extra configuration. For more
details about how to configure SAST, see the SAST [documentation](../../../user/application_security/sast/index.md).
### Configure DAST
To use [DAST](../../../user/application_security/dast/index.md) on non-default branches, [set up review apps](#set-up-review-apps)
and then follow the steps outlined in the DAST [documentation](../../../user/application_security/dast/index.md).
## Further reading
- If you're interested in more of the continuous deployments to clouds, see [cloud deployments](../index.md).

2
doc/ci/cloud_deployment/index.md
View File

@ -93,7 +93,7 @@ To deploy to your ECS cluster:
| Environment variable name | Value |
|:-------------------------------|:------------------------|
| `CI_AWS_ECS_CLUSTER` | The name of the AWS ECS cluster that you're targeting for your deployments. |
| `CI_AWS_ECS_SERVICE` | The name of the targeted service tied to your AWS ECS cluster. |
| `CI_AWS_ECS_SERVICE` | The name of the targeted service tied to your AWS ECS cluster. Ensure that this variable is scoped to the appropriate environment (`production`, `staging`, `review/*`). |
| `CI_AWS_ECS_TASK_DEFINITION` | If the task definition is in ECS, the name of the task definition tied to the service. |
| `CI_AWS_ECS_TASK_DEFINITION_FILE` | If the task definition is a JSON file in GitLab, the filename, including the path. For example, `ci/aws/my_task_definition.json`. If the name of the task definition in your JSON file is the same name as an existing task definition in ECS, then a new revision is created when CI/CD runs. Otherwise, a brand new task definition is created, starting at revision 1. |

2
doc/ci/examples/index.md
View File

@ -24,7 +24,7 @@ The following table lists examples with step-by-step tutorials that are containe
| Use case | Resource |
|-------------------------------|----------|
| Browser performance testing | [Browser Performance Testing with the Sitespeed.io container](../../user/project/merge_requests/browser_performance_testing.md). |
| Browser performance testing | [Browser Performance Testing with the Sitespeed.io container](../testing/browser_performance_testing.md). |
| Deployment with Dpl | [Using `dpl` as deployment tool](deployment/index.md). |
| GitLab Pages | See the [GitLab Pages](../../user/project/pages/index.md) documentation for a complete example of deploying a static site. |
| End-to-end testing | [End-to-end testing with GitLab CI/CD and WebdriverIO](end_to_end_testing_webdriverio/index.md). |

4
doc/ci/index.md
View File

@ -83,7 +83,7 @@ GitLab CI/CD features, grouped by DevOps stage, include:
| [ChatOps](chatops/index.md) | Trigger CI jobs from chat, with results sent back to the channel. |
| [Connect to cloud services](cloud_services/index.md) | Connect to cloud providers using OpenID Connect (OIDC) to retrieve temporary credentials to access services or secrets. |
| **Verify** | |
| [Browser Performance Testing](../user/project/merge_requests/browser_performance_testing.md) | Quickly determine the browser performance impact of pending code changes. |
| [Browser Performance Testing](testing/browser_performance_testing.md) | Quickly determine the browser performance impact of pending code changes. |
| [Load Performance Testing](../user/project/merge_requests/load_performance_testing.md) | Quickly determine the server performance impact of pending code changes. |
| [CI services](services/index.md) | Link Docker containers with your base image. |
| [GitLab CI/CD for external repositories](ci_cd_for_external_repos/index.md) | Get the benefits of GitLab CI/CD combined with repositories in GitHub and Bitbucket Cloud. |
@ -101,7 +101,7 @@ GitLab CI/CD features, grouped by DevOps stage, include:
| [GitLab Releases](../user/project/releases/index.md) | Add release notes to Git tags. |
| [Cloud deployment](cloud_deployment/index.md) | Deploy your application to a main cloud provider. |
| **Secure** | |
| [Code Quality](../user/project/merge_requests/code_quality.md) | Analyze your source code quality. |
| [Code Quality](testing/code_quality.md) | Analyze your source code quality. |
| [Container Scanning](../user/application_security/container_scanning/index.md) | Check your Docker containers for known vulnerabilities. |
| [Dependency Scanning](../user/application_security/dependency_scanning/index.md) | Analyze your dependencies for known vulnerabilities. |
| [License Compliance](../user/compliance/license_compliance/index.md) | Search your project dependencies for their licenses. |

2
doc/ci/metrics_reports.md
View File

@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9788) in GitLab 11.10. Requires GitLab Runner 11.10 and above.
GitLab provides a lot of great reporting tools for things like [merge requests](../user/project/merge_requests/index.md) - [Unit test reports](testing/unit_test_reports.md), [code quality](../user/project/merge_requests/code_quality.md), and performance tests. While JUnit is a great open framework for tests that "pass" or "fail", it is also important to see other types of metrics from a given change.
GitLab provides a lot of great reporting tools for things like [merge requests](../user/project/merge_requests/index.md) - [Unit test reports](testing/unit_test_reports.md), [code quality](testing/code_quality.md), and performance tests. While JUnit is a great open framework for tests that "pass" or "fail", it is also important to see other types of metrics from a given change.
You can configure your job to use custom Metrics Reports, and GitLab displays a report on the merge request so that it's easier and faster to identify changes without having to check the entire log.

2
doc/ci/pipelines/pipeline_efficiency.md
View File

@ -75,7 +75,7 @@ The [Pipeline success and duration charts](index.md#pipeline-success-and-duratio
give information about pipeline runtime and failed job counts.
Tests like [unit tests](../testing/unit_test_reports.md), integration tests, end-to-end tests,
[code quality](../../user/project/merge_requests/code_quality.md) tests, and others
[code quality](../testing/code_quality.md) tests, and others
ensure that problems are automatically found by the CI/CD pipeline. There could be many
pipeline stages involved causing long runtimes.

76
doc/ci/testing/accessibility_testing.md Normal file
View File

@ -0,0 +1,76 @@
---
stage: Verify
group: Pipeline Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Accessibility testing **(FREE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25144) in GitLab 12.8.
If your application offers a web interface, you can use
[GitLab CI/CD](../index.md) to determine the accessibility
impact of pending code changes.
[Pa11y](https://pa11y.org/) is a free and open source tool for
measuring the accessibility of web sites. GitLab integrates Pa11y into a
[CI job template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml).
The `a11y` job analyzes a defined set of web pages and reports
accessibility violations, warnings, and notices in a file named
`accessibility`.
As of [GitLab 14.5](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73309), Pa11y uses
[WCAG 2.1 rules](https://www.w3.org/TR/WCAG21/#new-features-in-wcag-2-1).
## Accessibility merge request widget
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/39425) in GitLab 13.0 behind the disabled [feature flag](../../administration/feature_flags.md) `:accessibility_report_view`.
> - [Feature Flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217372) in GitLab 13.1.
GitLab displays an **Accessibility Report** in the merge request widget area:
![Accessibility merge request widget](img/accessibility_mr_widget_v13_0.png)
## Configure accessibility testing
You can run Pa11y with GitLab CI/CD using the
[GitLab Accessibility Docker image](https://gitlab.com/gitlab-org/ci-cd/accessibility).
To define the `a11y` job for GitLab 12.9 and later:
1. [Include](../yaml/index.md#includetemplate) the
[`Accessibility.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml)
from your GitLab installation.
1. Add the following configuration to your `.gitlab-ci.yml` file.
```yaml
stages:
- accessibility
variables:
a11y_urls: "https://about.gitlab.com https://gitlab.com/users/sign_in"
include:
- template: "Verify/Accessibility.gitlab-ci.yml"
```
1. Customize the `a11y_urls` variable to list the URLs of the web pages to test with Pa11y.
The `a11y` job in your CI/CD pipeline generates these files:
- One HTML report per URL listed in the `a11y_urls` variable.
- One file containing the collected report data. In GitLab versions 12.11 and later, this
file is named `gl-accessibility.json`. In GitLab versions 12.10 and earlier, this file
is named [`accessibility.json`](https://gitlab.com/gitlab-org/ci-cd/accessibility/-/merge_requests/9).
You can [view job artifacts in your browser](../pipelines/job_artifacts.md#download-job-artifacts).
NOTE:
For GitLab versions earlier than 12.9, use `include:remote` and
link to the [current template in the default branch](https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml)
NOTE:
The job definition provided by the template does not support Kubernetes.
You cannot pass configurations into Pa11y via CI configuration.
To change the configuration, edit a copy of the template in your CI file.

242
doc/ci/testing/browser_performance_testing.md Normal file
View File

@ -0,0 +1,242 @@
---
stage: Verify
group: Pipeline Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Browser Performance Testing **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3507) in GitLab 10.3.
If your application offers a web interface and you're using
[GitLab CI/CD](../index.md), you can quickly determine the rendering performance
impact of pending code changes in the browser.
NOTE:
You can automate this feature in your applications by using [Auto DevOps](../../topics/autodevops/index.md).
## Overview
GitLab uses [Sitespeed.io](https://www.sitespeed.io), a free and open source
tool, for measuring the rendering performance of web sites. The
[Sitespeed plugin](https://gitlab.com/gitlab-org/gl-performance) that GitLab built outputs
the performance score for each page analyzed in a file called `browser-performance.json`
this data can be shown on Merge Requests.
## Use cases
Consider the following workflow:
1. A member of the marketing team is attempting to track engagement by adding a new tool.
1. With browser performance metrics, they see how their changes are impacting the usability
of the page for end users.
1. The metrics show that after their changes, the performance score of the page has gone down.
1. When looking at the detailed report, they see the new JavaScript library was
included in `<head>`, which affects loading page speed.
1. They ask for help from a front end developer, who sets the library to load asynchronously.
1. The frontend developer approves the merge request, and authorizes its deployment to production.
## How browser performance testing works
First, define a job in your `.gitlab-ci.yml` file that generates the
[Browser Performance report artifact](../yaml/artifacts_reports.md#artifactsreportsbrowser_performance).
GitLab then checks this report, compares key performance metrics for each page
between the source and target branches, and shows the information in the merge request.
For an example Browser Performance job, see
[Configuring Browser Performance Testing](#configuring-browser-performance-testing).
NOTE:
If the Browser Performance report has no data to compare, such as when you add the
Browser Performance job in your `.gitlab-ci.yml` for the very first time,
the Browser Performance report widget doesn't display. It must have run at least
once on the target branch (`main`, for example), before it displays in a
merge request targeting that branch.
![Browser Performance Widget](img/browser_performance_testing.png)
## Configuring Browser Performance Testing
This example shows how to run the [sitespeed.io container](https://hub.docker.com/r/sitespeedio/sitespeed.io/)
on your code by using GitLab CI/CD and [sitespeed.io](https://www.sitespeed.io)
using Docker-in-Docker.
1. First, set up GitLab Runner with a
[Docker-in-Docker build](../docker/using_docker_build.md#use-docker-in-docker).
1. Configure the default Browser Performance Testing CI/CD job as follows in your `.gitlab-ci.yml` file:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://example.com
```
WARNING:
In GitLab 13.12 and earlier, the job [was named](https://gitlab.com/gitlab-org/gitlab/-/issues/225914) `performance`.
The above example:
- Creates a `browser_performance` job in your CI/CD pipeline and runs sitespeed.io against the webpage you
defined in `URL` to gather key metrics.
- Uses a template that doesn't work with Kubernetes clusters. If you are using a Kubernetes cluster,
use [`template: Jobs/Browser-Performance-Testing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml)
instead.
- Uses a CI/CD template that is included in all GitLab installations since 12.4. If you are using
GitLab 12.3 or earlier, you must [add the configuration manually](#gitlab-versions-132-and-earlier).
The template uses the [GitLab plugin for sitespeed.io](https://gitlab.com/gitlab-org/gl-performance),
and it saves the full HTML sitespeed.io report as a [Browser Performance report artifact](../yaml/artifacts_reports.md#artifactsreportsbrowser_performance)
that you can later download and analyze. This implementation always takes the latest
Browser Performance artifact available. If [GitLab Pages](../../user/project/pages/index.md) is enabled,
you can view the report directly in your browser.
You can also customize the jobs with CI/CD variables:
- `SITESPEED_IMAGE`: Configure the Docker image to use for the job (default `sitespeedio/sitespeed.io`), but not the image version.
- `SITESPEED_VERSION`: Configure the version of the Docker image to use for the job (default `14.1.0`).
- `SITESPEED_OPTIONS`: Configure any additional sitespeed.io options as required (default `nil`). Refer to the [sitespeed.io documentation](https://www.sitespeed.io/documentation/sitespeed.io/configuration/) for more details.
For example, you can override the number of runs sitespeed.io
makes on the given URL, and change the version:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://www.sitespeed.io/
SITESPEED_VERSION: 13.2.0
SITESPEED_OPTIONS: -n 5
```
### Configuring degradation threshold
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/27599) in GitLab 13.0.
You can configure the sensitivity of degradation alerts to avoid getting alerts for minor drops in metrics.
This is done by setting the `DEGRADATION_THRESHOLD` CI/CD variable. In the example below, the alert only shows up
if the `Total Score` metric degrades by 5 points or more:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://example.com
DEGRADATION_THRESHOLD: 5
```
The `Total Score` metric is based on sitespeed.io's [coach performance score](https://www.sitespeed.io/documentation/sitespeed.io/metrics/#performance-score). There is more information in [the coach documentation](https://www.sitespeed.io/documentation/coach/how-to/#what-do-the-coach-do).
### Performance testing on Review Apps
The above CI YAML configuration is great for testing against static environments, and it can
be extended for dynamic environments, but a few extra steps are required:
1. The `browser_performance` job should run after the dynamic environment has started.
1. In the `review` job:
1. Generate a URL list file with the dynamic URL.
1. Save the file as an artifact, for example with `echo $CI_ENVIRONMENT_URL > environment_url.txt`
in your job's `script`.
1. Pass the list as the URL environment variable (which can be a URL or a file containing URLs)
to the `browser_performance` job.
1. You can now run the sitespeed.io container against the desired hostname and
paths.
Your `.gitlab-ci.yml` file would look like:
```yaml
stages:
- deploy
- performance
include:
template: Verify/Browser-Performance.gitlab-ci.yml
review:
stage: deploy
environment:
name: review/$CI_COMMIT_REF_SLUG
url: http://$CI_COMMIT_REF_SLUG.$APPS_DOMAIN
script:
- run_deploy_script
- echo $CI_ENVIRONMENT_URL > environment_url.txt
artifacts:
paths:
- environment_url.txt
only:
- branches
except:
- master
browser_performance:
dependencies:
- review
variables:
URL: environment_url.txt
```
### GitLab versions 13.2 and earlier
Browser Performance Testing has gone through several changes since its introduction.
In this section we detail these changes and how you can run the test based on your
GitLab version:
- In 13.2 the feature was renamed from `Performance` to `Browser Performance` with additional
template CI/CD variables.
- In GitLab 12.4 [a job template was made available](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Browser-Performance.gitlab-ci.yml).
- For 11.5 to 12.3 no template is available and the job has to be defined manually as follows:
```yaml
performance:
stage: performance
image: docker:git
variables:
URL: https://example.com
SITESPEED_VERSION: 14.1.0
SITESPEED_OPTIONS: ''
services:
- docker:stable-dind
script:
- mkdir gitlab-exporter
- wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/1.1.0/index.js
- mkdir sitespeed-results
- docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:$SITESPEED_VERSION --plugins.add ./gitlab-exporter --outputFolder sitespeed-results $URL $SITESPEED_OPTIONS
- mv sitespeed-results/data/performance.json performance.json
artifacts:
paths:
- performance.json
- sitespeed-results/
reports:
performance: performance.json
```
- For 11.4 and earlier the job should be defined as follows:
```yaml
performance:
stage: performance
image: docker:git
variables:
URL: https://example.com
services:
- docker:stable-dind
script:
- mkdir gitlab-exporter
- wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/1.1.0/index.js
- mkdir sitespeed-results
- docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results $URL
- mv sitespeed-results/data/performance.json performance.json
artifacts:
paths:
- performance.json
- sitespeed-results/
```
Upgrading to the latest version and using the templates is recommended, to ensure
you receive the latest updates, including updates to the sitespeed.io versions.

633
doc/ci/testing/code_quality.md Normal file
View File

@ -0,0 +1,633 @@
---
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Code Quality **(FREE)**
> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) to GitLab Free in 13.2.
To ensure your project's code stays simple, readable, and easy to contribute to,
you can use [GitLab CI/CD](../index.md) to analyze your source code quality.
For example, while you're implementing a feature, you can run Code Quality reports
to analyze how your improvements are impacting your code's quality. You can
use this information to ensure that your changes are improving performance rather
than degrading it.
Code Quality:
- Uses [plugins](https://docs.codeclimate.com/docs/list-of-engines) supported by Code Climate, which are
free and open source. Code Quality does not require a Code Climate
subscription.
- Runs in [pipelines](../pipelines/index.md) by using a Docker image built in the
[GitLab Code Quality](https://gitlab.com/gitlab-org/ci-cd/codequality) project.
- Uses [default Code Climate configurations](https://gitlab.com/gitlab-org/ci-cd/codequality/-/tree/master/codeclimate_defaults).
- Can make use of a [template](#example-configuration).
- Is available by using [Auto Code Quality](../../topics/autodevops/stages.md#auto-code-quality), provided by [Auto DevOps](../../topics/autodevops/index.md).
- Can be extended through [Analysis Plugins](https://docs.codeclimate.com/docs/list-of-engines) or a [custom tool](#implementing-a-custom-tool).
## Summary of features per tier
Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
as shown in the following table:
| Capability | In Free | In Premium | In Ultimate |
|:----------------------------------------------------------------------|:--------------------|:--------------------|:-------------------|
| [Configure scanners](#configuring-jobs-using-variables) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [Integrate custom scanners](#implementing-a-custom-tool) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [Generate JSON or HTML report artifacts](#generate-an-html-report) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [See findings in merge request widget](#code-quality-widget) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [See reports in CI pipelines](#code-quality-reports) | **{dotted-circle}** | **{check-circle}** | **{check-circle}** |
| [See findings in merge request diff view](#code-quality-in-diff-view) | **{dotted-circle}** | **{dotted-circle}** | **{check-circle}** |
## Code Quality Widget
> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) to GitLab Free in 13.2.
Going a step further, GitLab can show the Code Quality report right
in the merge request widget area if a report from the target branch is available to compare to:
![Code Quality Widget](img/code_quality_widget_13_11.png)
Watch a quick walkthrough of Code Quality in action:
<div class="video-fallback">
See the video: <a href="https://www.youtube.com/watch?v=B32LxtJKo9M">Code Quality: Speed Run</a>.
</div>
<figure class="video-container">
<iframe src="https://www.youtube.com/embed/B32LxtJKo9M" frameborder="0" allowfullscreen="true"> </iframe>
</figure>
NOTE:
For one customer, the auditor found that having Code Quality, SAST, and Container Scanning all automated in GitLab CI/CD was almost better than a manual review! [Read more](https://about.gitlab.com/customers/bi_worldwide/).
See also the Code Climate list of [Supported Languages for Maintainability](https://docs.codeclimate.com/docs/supported-languages-for-maintainability).
## Code Quality in diff view **(ULTIMATE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267612) in GitLab 13.11, disabled by default behind the `codequality_mr_diff` [feature flag](../../administration/feature_flags.md).
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/284140) in GitLab 13.12.
> - [Disabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/2526) in GitLab 14.0 due to [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/334116).
> - [Inline annotation added](https://gitlab.com/gitlab-org/gitlab/-/issues/2526) and [feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/284140) in GitLab 14.1.
Changes to files in merge requests can cause Code Quality to fall if merged. In these cases,
the merge request's diff view displays an indicator next to lines with new Code Quality violations. For example:
![Code Quality MR diff report](img/code_quality_mr_diff_report_v14_2.png)
## Example configuration
This example shows how to run Code Quality on your code by using GitLab CI/CD and Docker.
- Using shared runners, the job should be configured For the [Docker-in-Docker workflow](../docker/using_docker_build.md#use-docker-in-docker).
- Using private runners, there is an [alternative configuration](#set-up-a-private-runner-for-code-quality-without-docker-in-docker) recommended for running Code Quality analysis more efficiently.
In either configuration, the runner must have enough disk space to handle generated Code Quality files. For example on the [GitLab project](https://gitlab.com/gitlab-org/gitlab) the files are approximately 7 GB.
Once you set up GitLab Runner, include the [Code Quality template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) in your CI configuration:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
```
The above example creates a `code_quality` job in your CI/CD pipeline which
scans your source code for code quality issues. The report is saved as a
[Code Quality report artifact](../yaml/artifacts_reports.md#artifactsreportscodequality)
that you can later download and analyze.
It's also possible to override the URL to the Code Quality image by
setting the `CODE_QUALITY_IMAGE` CI/CD variable. This is particularly useful if you want
to lock in a specific version of Code Quality, or use a fork of it:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
variables:
CODE_QUALITY_IMAGE: "registry.example.com/codequality-fork:latest"
```
In [GitLab 13.4 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/11100), you can override the [Code Quality environment variables](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables):
```yaml
variables:
TIMEOUT_SECONDS: 1
include:
- template: Code-Quality.gitlab-ci.yml
```
By default, report artifacts are not downloadable. If you need them downloadable on the
job details page, you can add `gl-code-quality-report.json` to the artifact paths like so:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
artifacts:
paths: [gl-code-quality-report.json]
```
The included `code_quality` job is running in the `test` stage, so it needs to be included in your CI configuration, like so:
```yaml
stages:
- test
```
NOTE:
This information is automatically extracted and shown right in the merge request widget.
WARNING:
On self-managed instances, if a malicious actor compromises the Code Quality job
definition they could execute privileged Docker commands on the runner
host. Having proper access control policies mitigates this attack vector by
allowing access only to trusted actors.
### Set up a private runner for code quality without Docker-in-Docker
It's possible to configure your own runners and avoid Docker-in-Docker. You can use a
configuration that may greatly speed up job execution without requiring your runners
to operate in privileged mode.
This alternative configuration uses socket binding to share the Runner's Docker daemon
with the job environment. Be aware that this configuration [has significant considerations](../docker/using_docker_build.md#use-docker-socket-binding)
to be consider, but may be preferable depending on your use case.
1. Register a new runner:
```shell
$ gitlab-runner register --executor "docker" \
--docker-image="docker:stable" \
--url "https://gitlab.com/" \
--description "cq-sans-dind" \
--tag-list "cq-sans-dind" \
--locked="false" \
--access-level="not_protected" \
--docker-volumes "/cache"\
--docker-volumes "/builds:/builds"\
--docker-volumes "/var/run/docker.sock:/var/run/docker.sock" \
--registration-token="<project_token>" \
--non-interactive
```
1. **Optional, but recommended:** Set the builds directory to `/tmp/builds`,
so job artifacts are periodically purged from the runner host. If you skip
this step, you must clean up the default builds directory (`/builds`) yourself.
You can do this by adding the following two flags to `gitlab-runner register`
in the previous step.
```shell
--builds-dir "/tmp/builds"
--docker-volumes "/tmp/builds:/tmp/builds" # Use this instead of --docker-volumes "/builds:/builds"
```
The resulting configuration:
```toml
[[runners]]
name = "cq-sans-dind"
url = "https://gitlab.com/"
token = "<project_token>"
executor = "docker"
builds_dir = "/tmp/builds"
[runners.docker]
tls_verify = false
image = "docker:stable"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock", "/tmp/builds:/tmp/builds"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
```
1. Apply two overrides to the `code_quality` job created by the template:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind # Set this job to only run on our new specialized runner
```
The end result is that:
- Privileged mode is not used.
- Docker-in-Docker is not used.
- Docker images, including all CodeClimate images, are cached, and not re-fetched for subsequent jobs.
With this configuration, the run time for a second pipeline is much shorter. For example
this [small change](https://gitlab.com/drew/test-code-quality-template/-/merge_requests/4/diffs?commit_id=1e705607aef7236c1b20bb6f637965f3f3e53a46)
to an [open merge request](https://gitlab.com/drew/test-code-quality-template/-/merge_requests/4/pipelines)
running Code Quality analysis ran significantly faster the second time:
![Code Quality sequential runs without DinD](img/code_quality_host_bound_sequential.png)
This configuration is not possible on `gitlab.com` shared runners. Shared runners
are configured with `privileged=true`, and they do not expose `docker.sock` into
the job container. As a result, socket binding cannot be used to make `docker` available
in the context of the job script.
[Docker-in-Docker](../docker/using_docker_build.md#use-docker-in-docker)
was chosen as an operational decision by the runner team, instead of exposing `docker.sock`.
### Disabling the code quality job
The `code_quality` job doesn't run if the `$CODE_QUALITY_DISABLED` CI/CD variable
is present. Please refer to the CI/CD variables [documentation](../variables/index.md)
to learn more about how to define one.
To disable the `code_quality` job, add `CODE_QUALITY_DISABLED` as a custom CI/CD variable.
This can be done:
- For [the whole project](../variables/index.md#custom-cicd-variables).
- For a single pipeline run:
1. Go to **CI/CD > Pipelines**
1. Select **Run pipeline**
1. Add `CODE_QUALITY_DISABLED` as the variable key, with any value.
### Using with merge request pipelines
The configuration provided by the Code Quality template does not let the `code_quality` job
run on [merge request pipelines](../pipelines/merge_request_pipelines.md).
If merge request pipelines is enabled, the `code_quality:rules` must be redefined.
The template has these [`rules`](../yaml/index.md#rules) for the `code quality` job:
```yaml
code_quality:
rules:
- if: $CODE_QUALITY_DISABLED
when: never
- if: $CI_COMMIT_TAG || $CI_COMMIT_BRANCH
```
If you are using merge request pipelines, your `rules` (or [`workflow: rules`](../yaml/index.md#workflow))
might look like this example:
```yaml
job1:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run job1 in merge request pipelines
- if: $CI_COMMIT_BRANCH == "main" # Run job1 in pipelines on the main branch (but not in other branch pipelines)
- if: $CI_COMMIT_TAG # Run job1 in pipelines for tags
```
To make these work together, you need to overwrite the code quality `rules`
so that they match your current `rules`. From the example above, it could look like:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
rules:
- if: $CODE_QUALITY_DISABLED
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run code quality job in merge request pipelines
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # Run code quality job in pipelines on the default branch (but not in other branch pipelines)
- if: $CI_COMMIT_TAG # Run code quality job in pipelines for tags
```
### Configure Code Quality to use a private container image registry
> [Introduced](https://gitlab.com/gitlab-org/ci-cd/codequality/-/merge_requests/30) in 13.7.
To reduce network time and external dependency, you can use your own
container image registry to host the Code Quality Docker images. Because of
the nested architecture of container execution, the registry prefix must
be specifically configured to be passed down into CodeClimate's subsequent
`docker pull` commands for individual engines.
The following two variables can address all of the required image pulls:
- `CODE_QUALITY_IMAGE`: A fully prefixed image name that can be located anywhere
accessible from your job environment. GitLab Container Registry can be used here
to host your own copy.
- `CODECLIMATE_PREFIX`: The domain of your intended container image registry. This
is a configuration option supported by [CodeClimate CLI](https://github.com/codeclimate/codeclimate/pull/948). You must:
- Include a trailing slash (`/`).
- Not include a protocol prefix, such as `https://`.
```yaml
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
code_quality:
variables:
CODE_QUALITY_IMAGE: "my-private-registry.local:12345/codequality:0.85.24"
CODECLIMATE_PREFIX: "my-private-registry.local:12345/"
```
This example is specific to GitLab Code Quality. For more general
instructions on how to configure DinD with a registry mirror, see the
relevant [documentation](../docker/using_docker_build.md#enable-registry-mirror-for-dockerdind-service).
## Configuring jobs using variables
The Code Quality job supports environment variables that users can set to
configure job execution at runtime.
For a list of available environment variables, see
[Environment variables](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables).
## Implementing a custom tool
It's possible to have a custom tool provide Code Quality reports in GitLab. To
do this:
1. Define a job in your `.gitlab-ci.yml` file that generates the
[Code Quality report artifact](../yaml/artifacts_reports.md#artifactsreportscodequality).
1. Configure your tool to generate the Code Quality report artifact as a JSON
file that implements a subset of the [Code Climate spec](https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types).
The Code Quality report artifact JSON file must contain an array of objects
with the following properties:
| Name | Description |
| ---------------------- | ----------------------------------------------------------------------------------------- |
| `description` | A description of the code quality violation. |
| `fingerprint` | A unique fingerprint to identify the code quality violation. For example, an MD5 hash. |
| `severity` | A severity string (can be `info`, `minor`, `major`, `critical`, or `blocker`). |
| `location.path` | The relative path to the file containing the code quality violation. |
| `location.lines.begin` or `location.positions.begin.line` | The line on which the code quality violation occurred. |
Example:
```json
[
{
"description": "'unused' is assigned a value but never used.",
"fingerprint": "7815696ecbf1c96e6894b779456d330e",
"severity": "minor",
"location": {
"path": "lib/index.js",
"lines": {
"begin": 42
}
}
}
]
```
NOTE:
Although the Code Climate spec supports more properties, those are ignored by
GitLab.
The GitLab parser does not allow a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark)
at the beginning of the file.
## Code Quality reports **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/21527) in GitLab 12.9.
![Code Quality Report](img/code_quality_report_13_11.png)
After the Code Quality job completes:
- Potential changes to code quality are shown directly in the merge request.
The Code Quality widget in the merge request compares the reports from the base and head of the branch,
then lists any violations that are resolved or created when the branch is merged.
- The full JSON report is available as a
[downloadable artifact](../pipelines/job_artifacts.md#download-job-artifacts)
for the `code_quality` job.
- The full list of code quality violations generated by a pipeline is shown in the
Code Quality tab of the Pipeline Details page.
## Generate an HTML report
In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/ci-cd/codequality/-/issues/10),
it is possible to generate an HTML report file by setting the `REPORT_FORMAT`
CI/CD variable to `html`. This is useful if you just want to view the report in a more
human-readable format or to publish this artifact on GitLab Pages for even
easier reviewing.
To generate both JSON and HTML report files, add another job to your template by using `extends: code_quality`:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality_html:
extends: code_quality
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
```
NOTE:
Adding a job means your code is scanned twice: once to generate a JSON report and once to generate an HTML report.
You can also generate _only_ an HTML report instead of the standard JSON report. To do so, set `REPORT_FORMAT` to `html` in the existing job:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
```
WARNING:
If you only generate an HTML report, you can't see your results in the [merge request widget](#code-quality-widget), [pipeline report](#code-quality-reports), or [diff view](#code-quality-in-diff-view).
These features require a JSON report.
## Extending functionality
### Using Analysis Plugins
Should there be a need to extend the default functionality provided by Code Quality, as stated in [Code Quality](#code-quality), [Analysis Plugins](https://docs.codeclimate.com/docs/list-of-engines) are available.
For example, to use the [SonarJava analyzer](https://docs.codeclimate.com/docs/sonar-java),
add a file named `.codeclimate.yml` containing the [enablement code](https://docs.codeclimate.com/docs/sonar-java#enable-the-plugin)
for the plugin to the root of your repository:
```yaml
version: "2"
plugins:
sonar-java:
enabled: true
```
This adds SonarJava to the `plugins:` section of the [default `.codeclimate.yml`](https://gitlab.com/gitlab-org/ci-cd/codequality/-/blob/master/codeclimate_defaults/.codeclimate.yml.template)
included in your project.
Changes to the `plugins:` section do not affect the `exclude_patterns` section of the
default `.codeclimate.yml`. See the Code Climate documentation for
[excluding files and folders](https://docs.codeclimate.com/docs/excluding-files-and-folders)
for more details.
Here's [an example project](https://gitlab.com/jheimbuck_gl/jh_java_example_project) that uses Code Quality with a `.codeclimate.yml` file.
## Use a Code Quality image hosted in a registry with untrusted certificates
If you set the `CODE_QUALITY_IMAGE` to an image that is hosted in a
Docker registry which uses a TLS certificate that is not trusted, such as
a self-signed certificate, you can see errors like the one below:
```shell
$ docker pull --quiet "$CODE_QUALITY_IMAGE"
Error response from daemon: Get https://gitlab.example.com/v2/: x509: certificate signed by unknown authority
```
To fix this, configure the Docker daemon to [trust certificates](https://docs.docker.com/registry/insecure/#use-self-signed-certificates)
by putting the certificate inside of the `/etc/docker/certs.d`
directory.
This Docker daemon is exposed to the subsequent Code Quality Docker container in the
[GitLab Code Quality template](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.8.3-ee/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml#L41)
and should be to exposed any other containers in which you want to have
your certificate configuration apply.
### Docker
If you have access to GitLab Runner configuration, add the directory as a
[volume mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section). For example:
```toml
[[runners]]
...
executor = "docker"
[runners.docker]
...
privileged = true
volumes = ["/cache", "/etc/gitlab-runner/certs/gitlab.example.com.crt:/etc/docker/certs.d/gitlab.example.com/ca.crt:ro"]
```
Replace `gitlab.example.com` with the actual domain of the registry.
### Kubernetes
If you have access to GitLab Runner configuration and the Kubernetes cluster,
you can [mount a ConfigMap](https://docs.gitlab.com/runner/executors/kubernetes.html#configmap-volumes):
1. Create a ConfigMap with the certificate:
```shell
kubectl create configmap registry-crt --namespace gitlab-runner --from-file /etc/gitlab-runner/certs/gitlab.example.com.crt
```
1. Update GitLab Runner `config.toml` to specify the ConfigMap:
```toml
[[runners]]
...
executor = "kubernetes"
[runners.kubernetes]
image = "alpine:3.12"
privileged = true
[[runners.kubernetes.volumes.config_map]]
name = "registry-crt"
mount_path = "/etc/docker/certs.d/gitlab.example.com/ca.crt"
sub_path = "gitlab.example.com.crt"
```
Replace `gitlab.example.com` with the actual domain of the registry.
## Troubleshooting
### Changing the default configuration has no effect
A common issue is that the terms `Code Quality` (GitLab specific) and `Code Climate`
(Engine used by GitLab) are very similar. You must add a **`.codeclimate.yml`** file
to change the default configuration, **not** a `.codequality.yml` file. If you use
the wrong filename, the [default `.codeclimate.yml`](https://gitlab.com/gitlab-org/ci-cd/codequality/-/blob/master/codeclimate_defaults/.codeclimate.yml.template)
is still used.
### No Code Quality report is displayed in a merge request
This can be due to multiple reasons:
- You just added the Code Quality job in your `.gitlab-ci.yml`. The report does not
have anything to compare to yet, so no information can be displayed. It only displays
after future merge requests have something to compare to.
- Your pipeline is not set to run the code quality job on your target branch. If there is no report generated from the target branch, your MR branch reports have nothing to compare to. In this situation you will see an error stating `Base pipeline codequality artifact not found`.
- If no [degradation or error is detected](https://docs.codeclimate.com/docs/maintainability#section-checks),
nothing is displayed.
- The [`artifacts:expire_in`](../yaml/index.md#artifactsexpire_in) CI/CD
setting can cause the Code Quality artifacts to expire faster than desired.
- The widgets use the pipeline of the latest commit to the target branch. If commits are made to the default branch that do not run the code quality job, this may cause the merge request widget to have no base report for comparison.
- If you use the [`REPORT_STDOUT` environment variable](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables), no report file is generated and nothing displays in the merge request.
- Large `gl-code-quality-report.json` files (esp. >10 MB) are [known to prevent the report from being displayed](https://gitlab.com/gitlab-org/gitlab/-/issues/2737).
As a work-around, try removing [properties](https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types)
that are [ignored by GitLab](#implementing-a-custom-tool). You can:
- Configure the Code Quality tool to not output those types.
- Use `sed`, `awk` or similar commands in the `.gitlab-ci.yml` script to
edit the `gl-code-quality-report.json` before the job completes.
### Only a single Code Quality report is displayed, but more are defined
GitLab only uses the Code Quality artifact from the latest created job (with the largest job ID).
If multiple jobs in a pipeline generate a code quality artifact, those of earlier jobs are ignored.
To avoid confusion, configure only one job to generate a `gl-code-quality-report.json`.
### RuboCop errors
When using Code Quality jobs on a Ruby project, you can encounter problems running RuboCop.
For example, the following error can appear when using either a very recent or very old version
of Ruby:
```plaintext
/usr/local/bundle/gems/rubocop-0.52.1/lib/rubocop/config.rb:510:in `check_target_ruby':
Unknown Ruby version 2.7 found in `.ruby-version`. (RuboCop::ValidationError)
Supported versions: 2.1, 2.2, 2.3, 2.4, 2.5
```
This is caused by the default version of RuboCop used by the check engine not covering
support for the Ruby version in use.
To use a custom version of RuboCop that
[supports the version of Ruby used by the project](https://docs.rubocop.org/rubocop/compatibility.html#support-matrix),
you can [override the configuration through a `.codeclimate.yml` file](https://docs.codeclimate.com/docs/rubocop#using-rubocops-newer-versions)
created in the project repository.
For example, to specify using RuboCop release **0.67**:
```yaml
version: "2"
plugins:
rubocop:
enabled: true
channel: rubocop-0-67
```
### No Code Quality appears on merge requests when using custom tool
If your merge requests do not show any code quality changes when using a custom tool,
ensure that the line property is an `integer`.
### Code Quality CI job with Code Climate plugins enabled fails with error
If you enabled any of the Code Climate plugins, and the Code Quality CI job fails with the error
below, it's likely the job takes longer than the default timeout of 900 seconds:
```shell
error: (CC::CLI::Analyze::EngineFailure) engine pmd ran for 900 seconds and was killed
Could not analyze code quality for the repository at /code
```
To work around this problem, set `TIMEOUT_SECONDS` to a higher value in your `.gitlab.-ci.yml` file.
For example:
```yaml
variables:
TIMEOUT_SECONDS: 3600
```

0
doc/user/project/merge_requests/img/accessibility_mr_widget_v13_0.png → doc/ci/testing/img/accessibility_mr_widget_v13_0.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 60 KiB

0
doc/user/project/merge_requests/img/browser_performance_testing.png → doc/ci/testing/img/browser_performance_testing.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
doc/user/project/merge_requests/img/code_quality_host_bound_sequential.png → doc/ci/testing/img/code_quality_host_bound_sequential.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

0
doc/user/project/merge_requests/img/code_quality_mr_diff_report_v14_2.png → doc/ci/testing/img/code_quality_mr_diff_report_v14_2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
doc/user/project/merge_requests/img/code_quality_report_13_11.png → doc/ci/testing/img/code_quality_report_13_11.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 23 KiB

0
doc/user/project/merge_requests/img/code_quality_widget_13_11.png → doc/ci/testing/img/code_quality_widget_13_11.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

6
doc/ci/testing/index.md
View File

@ -11,10 +11,10 @@ display reports or link to important information directly from [merge requests](
| Feature | Description |
|-------------------------------------------------------------------------------------------------|-------------|
| [Accessibility Testing](../../user/project/merge_requests/accessibility_testing.md) | Automatically report A11y violations for changed pages in merge requests. |
| [Browser Performance Testing](../../user/project/merge_requests/browser_performance_testing.md) | Quickly determine the browser performance impact of pending code changes. |
| [Accessibility Testing](accessibility_testing.md) | Automatically report A11y violations for changed pages in merge requests. |
| [Browser Performance Testing](browser_performance_testing.md) | Quickly determine the browser performance impact of pending code changes. |
| [Load Performance Testing](../../user/project/merge_requests/load_performance_testing.md) | Quickly determine the server performance impact of pending code changes. |
| [Code Quality](../../user/project/merge_requests/code_quality.md) | Analyze your source code quality using the [Code Climate](https://codeclimate.com/) analyzer and show the Code Climate report right in the merge request widget area. |
| [Code Quality](code_quality.md) | Analyze your source code quality using the [Code Climate](https://codeclimate.com/) analyzer and show the Code Climate report right in the merge request widget area. |
| [Display arbitrary job artifacts](../yaml/index.md#artifactsexpose_as) | Configure CI pipelines with the `artifacts:expose_as` parameter to directly link to selected [artifacts](../pipelines/job_artifacts.md) in merge requests. |
| [Unit test reports](unit_test_reports.md) | Configure your CI jobs to use Unit test reports, and let GitLab display a report on the merge request so that it's easier and faster to identify the failure without having to check the entire job log. |
| [License Compliance](../../user/compliance/license_compliance/index.md) | Manage the licenses of your dependencies. |

14
doc/ci/yaml/artifacts_reports.md
View File

@ -36,9 +36,9 @@ The `accessibility` report uses [pa11y](https://pa11y.org/) to report on the acc
of changes introduced in merge requests.
GitLab can display the results of one or more reports in the merge request
[accessibility widget](../../user/project/merge_requests/accessibility_testing.md#accessibility-merge-request-widget).
[accessibility widget](../testing/accessibility_testing.md#accessibility-merge-request-widget).
For more information, see [Accessibility testing](../../user/project/merge_requests/accessibility_testing.md).
For more information, see [Accessibility testing](../testing/accessibility_testing.md).
## `artifacts:reports:api_fuzzing` **(ULTIMATE)**
@ -59,11 +59,11 @@ GitLab can display the results of one or more reports in:
> [Name changed](https://gitlab.com/gitlab-org/gitlab/-/issues/225914) from `artifacts:reports:performance` in GitLab 14.0.
The `browser_performance` report collects [Browser Performance Testing metrics](../../user/project/merge_requests/browser_performance_testing.md)
The `browser_performance` report collects [Browser Performance Testing metrics](../testing/browser_performance_testing.md)
as artifacts.
GitLab can display the results of one report in the merge request
[browser performance testing widget](../../user/project/merge_requests/browser_performance_testing.md#how-browser-performance-testing-works).
[browser performance testing widget](../testing/browser_performance_testing.md#how-browser-performance-testing-works).
GitLab cannot display the combined results of multiple `browser_performance` reports.
@ -122,14 +122,14 @@ GitLab can display the results of coverage report in the merge request
> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) to GitLab Free in 13.2.
The `codequality` report collects [code quality issues](../../user/project/merge_requests/code_quality.md). The
The `codequality` report collects [code quality issues](../testing/code_quality.md). The
collected code quality report uploads to GitLab as an artifact.
GitLab can display the results of:
- One or more reports in the merge request [code quality widget](../../user/project/merge_requests/code_quality.md#code-quality-widget).
- One or more reports in the merge request [code quality widget](../testing/code_quality.md#code-quality-widget).
- Only one report in:
- The merge request [diff annotations](../../user/project/merge_requests/code_quality.md#code-quality-in-diff-view).
- The merge request [diff annotations](../testing/code_quality.md#code-quality-in-diff-view).
Track progress on adding support for multiple reports in [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/328257).
- The [full report](../metrics_reports.md). Track progress on adding support for multiple reports in
[this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/9014).

2
doc/development/performance.md
View File

@ -26,7 +26,7 @@ consistent performance of GitLab. Refer to the [Index](#performance-documentatio
- Frontend:
- [Performance guidelines](../development/fe_guide/performance.md)
- [Performance dashboards and monitoring guidelines](../development/new_fe_guide/development/performance.md)
- [Browser performance testing guidelines](../user/project/merge_requests/browser_performance_testing.md)
- [Browser performance testing guidelines](../ci/testing/browser_performance_testing.md)
- [`gdk measure` and `gdk measure-workflow`](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/gdk_commands.md#measure-performance)
- QA:
- [Load performance testing](../user/project/merge_requests/load_performance_testing.md)

2
doc/development/testing_guide/review_apps.md
View File

@ -45,7 +45,7 @@ Maintainers can elect to use the [process for merging during broken `master`](ht
On every [pipeline](https://gitlab.com/gitlab-org/gitlab/pipelines/125315730) in the `qa` stage, the
`review-performance` job is automatically started: this job does basic
browser performance testing using a
[Sitespeed.io Container](../../user/project/merge_requests/browser_performance_testing.md).
[Sitespeed.io Container](../../ci/testing/browser_performance_testing.md).
## Sample Data for Review Apps

2
doc/subscriptions/bronze_starter.md
View File

@ -63,7 +63,7 @@ the tiers are no longer mentioned in GitLab documentation:
- [`audit_json.log`](../administration/logs.md#audit_jsonlog) (specific entries)
- [`elasticsearch.log`](../administration/logs.md#elasticsearchlog)
- Merge requests:
- [Full code quality reports in the code quality tab](../user/project/merge_requests/code_quality.md#code-quality-reports)
- [Full code quality reports in the code quality tab](../ci/testing/code_quality.md#code-quality-reports)
- [Merge request approvals](../user/project/merge_requests/approvals/index.md)
- [Multiple assignees](../user/project/merge_requests/index.md#assign-multiple-users)
- [Approval Rule information for Reviewers](../user/project/merge_requests/reviews/index.md#approval-rule-information-for-reviewers)

6
doc/topics/autodevops/stages.md
View File

@ -178,7 +178,7 @@ Auto Code Quality uses the
static analysis and other code checks on the current code. After creating the
report, it's uploaded as an artifact which you can later download and check
out. The merge request widget also displays any
[differences between the source and target branches](../../user/project/merge_requests/code_quality.md).
[differences between the source and target branches](../../ci/testing/code_quality.md).
## Auto SAST
@ -336,7 +336,7 @@ You can disable DAST:
> Introduced in GitLab 10.4.
Auto [Browser Performance Testing](../../user/project/merge_requests/browser_performance_testing.md)
Auto [Browser Performance Testing](../../ci/testing/browser_performance_testing.md)
measures the browser performance of a web page with the
[Sitespeed.io container](https://hub.docker.com/r/sitespeedio/sitespeed.io/),
creates a JSON report including the overall performance score for each page, and
@ -351,7 +351,7 @@ file named `.gitlab-urls.txt` in the root directory, one file per line. For exam
```
Any browser performance differences between the source and target branches are also
[shown in the merge request widget](../../user/project/merge_requests/browser_performance_testing.md).
[shown in the merge request widget](../../ci/testing/browser_performance_testing.md).
## Auto Load Performance Testing **(PREMIUM)**

79
doc/user/project/merge_requests/accessibility_testing.md
View File

@ -1,76 +1,11 @@
---
stage: Verify
group: Pipeline Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
redirect_to: '../../../ci/testing/accessibility_testing.md'
remove_date: '2022-08-31'
---
# Accessibility testing **(FREE)**
This document was moved to [another location](../../../ci/testing/accessibility_testing.md).
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25144) in GitLab 12.8.
If your application offers a web interface, you can use
[GitLab CI/CD](../../../ci/index.md) to determine the accessibility
impact of pending code changes.
[Pa11y](https://pa11y.org/) is a free and open source tool for
measuring the accessibility of web sites. GitLab integrates Pa11y into a
[CI job template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml).
The `a11y` job analyzes a defined set of web pages and reports
accessibility violations, warnings, and notices in a file named
`accessibility`.
As of [GitLab 14.5](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73309), Pa11y uses
[WCAG 2.1 rules](https://www.w3.org/TR/WCAG21/#new-features-in-wcag-2-1).
## Accessibility merge request widget
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/39425) in GitLab 13.0 behind the disabled [feature flag](../../../administration/feature_flags.md) `:accessibility_report_view`.
> - [Feature Flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217372) in GitLab 13.1.
GitLab displays an **Accessibility Report** in the merge request widget area:
![Accessibility merge request widget](img/accessibility_mr_widget_v13_0.png)
## Configure accessibility testing
You can run Pa11y with GitLab CI/CD using the
[GitLab Accessibility Docker image](https://gitlab.com/gitlab-org/ci-cd/accessibility).
To define the `a11y` job for GitLab 12.9 and later:
1. [Include](../../../ci/yaml/index.md#includetemplate) the
[`Accessibility.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml)
from your GitLab installation.
1. Add the following configuration to your `.gitlab-ci.yml` file.
```yaml
stages:
- accessibility
variables:
a11y_urls: "https://about.gitlab.com https://gitlab.com/users/sign_in"
include:
- template: "Verify/Accessibility.gitlab-ci.yml"
```
1. Customize the `a11y_urls` variable to list the URLs of the web pages to test with Pa11y.
The `a11y` job in your CI/CD pipeline generates these files:
- One HTML report per URL listed in the `a11y_urls` variable.
- One file containing the collected report data. In GitLab versions 12.11 and later, this
file is named `gl-accessibility.json`. In GitLab versions 12.10 and earlier, this file
is named [`accessibility.json`](https://gitlab.com/gitlab-org/ci-cd/accessibility/-/merge_requests/9).
You can [view job artifacts in your browser](../../../ci/pipelines/job_artifacts.md#download-job-artifacts).
NOTE:
For GitLab versions earlier than 12.9, use `include:remote` and
link to the [current template in the default branch](https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Verify/Accessibility.gitlab-ci.yml)
NOTE:
The job definition provided by the template does not support Kubernetes.
You cannot pass configurations into Pa11y via CI configuration.
To change the configuration, edit a copy of the template in your CI file.
<!-- This redirect file can be deleted after <2022-09-22>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

245
doc/user/project/merge_requests/browser_performance_testing.md
View File

@ -1,242 +1,11 @@
---
stage: Verify
group: Pipeline Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
redirect_to: '../../../ci/testing/browser_performance_testing.md'
remove_date: '2022-08-31'
---
# Browser Performance Testing **(PREMIUM)**
This document was moved to [another location](../../../ci/testing/browser_performance_testing.md).
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3507) in GitLab 10.3.
If your application offers a web interface and you're using
[GitLab CI/CD](../../../ci/index.md), you can quickly determine the rendering performance
impact of pending code changes in the browser.
NOTE:
You can automate this feature in your applications by using [Auto DevOps](../../../topics/autodevops/index.md).
## Overview
GitLab uses [Sitespeed.io](https://www.sitespeed.io), a free and open source
tool, for measuring the rendering performance of web sites. The
[Sitespeed plugin](https://gitlab.com/gitlab-org/gl-performance) that GitLab built outputs
the performance score for each page analyzed in a file called `browser-performance.json`
this data can be shown on Merge Requests.
## Use cases
Consider the following workflow:
1. A member of the marketing team is attempting to track engagement by adding a new tool.
1. With browser performance metrics, they see how their changes are impacting the usability
of the page for end users.
1. The metrics show that after their changes, the performance score of the page has gone down.
1. When looking at the detailed report, they see the new JavaScript library was
included in `<head>`, which affects loading page speed.
1. They ask for help from a front end developer, who sets the library to load asynchronously.
1. The frontend developer approves the merge request, and authorizes its deployment to production.
## How browser performance testing works
First, define a job in your `.gitlab-ci.yml` file that generates the
[Browser Performance report artifact](../../../ci/yaml/artifacts_reports.md#artifactsreportsbrowser_performance).
GitLab then checks this report, compares key performance metrics for each page
between the source and target branches, and shows the information in the merge request.
For an example Browser Performance job, see
[Configuring Browser Performance Testing](#configuring-browser-performance-testing).
NOTE:
If the Browser Performance report has no data to compare, such as when you add the
Browser Performance job in your `.gitlab-ci.yml` for the very first time,
the Browser Performance report widget doesn't display. It must have run at least
once on the target branch (`main`, for example), before it displays in a
merge request targeting that branch.
![Browser Performance Widget](img/browser_performance_testing.png)
## Configuring Browser Performance Testing
This example shows how to run the [sitespeed.io container](https://hub.docker.com/r/sitespeedio/sitespeed.io/)
on your code by using GitLab CI/CD and [sitespeed.io](https://www.sitespeed.io)
using Docker-in-Docker.
1. First, set up GitLab Runner with a
[Docker-in-Docker build](../../../ci/docker/using_docker_build.md#use-docker-in-docker).
1. Configure the default Browser Performance Testing CI/CD job as follows in your `.gitlab-ci.yml` file:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://example.com
```
WARNING:
In GitLab 13.12 and earlier, the job [was named](https://gitlab.com/gitlab-org/gitlab/-/issues/225914) `performance`.
The above example:
- Creates a `browser_performance` job in your CI/CD pipeline and runs sitespeed.io against the webpage you
defined in `URL` to gather key metrics.
- Uses a template that doesn't work with Kubernetes clusters. If you are using a Kubernetes cluster,
use [`template: Jobs/Browser-Performance-Testing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml)
instead.
- Uses a CI/CD template that is included in all GitLab installations since 12.4. If you are using
GitLab 12.3 or earlier, you must [add the configuration manually](#gitlab-versions-132-and-earlier).
The template uses the [GitLab plugin for sitespeed.io](https://gitlab.com/gitlab-org/gl-performance),
and it saves the full HTML sitespeed.io report as a [Browser Performance report artifact](../../../ci/yaml/artifacts_reports.md#artifactsreportsbrowser_performance)
that you can later download and analyze. This implementation always takes the latest
Browser Performance artifact available. If [GitLab Pages](../pages/index.md) is enabled,
you can view the report directly in your browser.
You can also customize the jobs with CI/CD variables:
- `SITESPEED_IMAGE`: Configure the Docker image to use for the job (default `sitespeedio/sitespeed.io`), but not the image version.
- `SITESPEED_VERSION`: Configure the version of the Docker image to use for the job (default `14.1.0`).
- `SITESPEED_OPTIONS`: Configure any additional sitespeed.io options as required (default `nil`). Refer to the [sitespeed.io documentation](https://www.sitespeed.io/documentation/sitespeed.io/configuration/) for more details.
For example, you can override the number of runs sitespeed.io
makes on the given URL, and change the version:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://www.sitespeed.io/
SITESPEED_VERSION: 13.2.0
SITESPEED_OPTIONS: -n 5
```
### Configuring degradation threshold
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/27599) in GitLab 13.0.
You can configure the sensitivity of degradation alerts to avoid getting alerts for minor drops in metrics.
This is done by setting the `DEGRADATION_THRESHOLD` CI/CD variable. In the example below, the alert only shows up
if the `Total Score` metric degrades by 5 points or more:
```yaml
include:
template: Verify/Browser-Performance.gitlab-ci.yml
browser_performance:
variables:
URL: https://example.com
DEGRADATION_THRESHOLD: 5
```
The `Total Score` metric is based on sitespeed.io's [coach performance score](https://www.sitespeed.io/documentation/sitespeed.io/metrics/#performance-score). There is more information in [the coach documentation](https://www.sitespeed.io/documentation/coach/how-to/#what-do-the-coach-do).
### Performance testing on Review Apps
The above CI YAML configuration is great for testing against static environments, and it can
be extended for dynamic environments, but a few extra steps are required:
1. The `browser_performance` job should run after the dynamic environment has started.
1. In the `review` job:
1. Generate a URL list file with the dynamic URL.
1. Save the file as an artifact, for example with `echo $CI_ENVIRONMENT_URL > environment_url.txt`
in your job's `script`.
1. Pass the list as the URL environment variable (which can be a URL or a file containing URLs)
to the `browser_performance` job.
1. You can now run the sitespeed.io container against the desired hostname and
paths.
Your `.gitlab-ci.yml` file would look like:
```yaml
stages:
- deploy
- performance
include:
template: Verify/Browser-Performance.gitlab-ci.yml
review:
stage: deploy
environment:
name: review/$CI_COMMIT_REF_SLUG
url: http://$CI_COMMIT_REF_SLUG.$APPS_DOMAIN
script:
- run_deploy_script
- echo $CI_ENVIRONMENT_URL > environment_url.txt
artifacts:
paths:
- environment_url.txt
only:
- branches
except:
- master
browser_performance:
dependencies:
- review
variables:
URL: environment_url.txt
```
### GitLab versions 13.2 and earlier
Browser Performance Testing has gone through several changes since its introduction.
In this section we detail these changes and how you can run the test based on your
GitLab version:
- In 13.2 the feature was renamed from `Performance` to `Browser Performance` with additional
template CI/CD variables.
- In GitLab 12.4 [a job template was made available](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Verify/Browser-Performance.gitlab-ci.yml).
- For 11.5 to 12.3 no template is available and the job has to be defined manually as follows:
```yaml
performance:
stage: performance
image: docker:git
variables:
URL: https://example.com
SITESPEED_VERSION: 14.1.0
SITESPEED_OPTIONS: ''
services:
- docker:stable-dind
script:
- mkdir gitlab-exporter
- wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/1.1.0/index.js
- mkdir sitespeed-results
- docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:$SITESPEED_VERSION --plugins.add ./gitlab-exporter --outputFolder sitespeed-results $URL $SITESPEED_OPTIONS
- mv sitespeed-results/data/performance.json performance.json
artifacts:
paths:
- performance.json
- sitespeed-results/
reports:
performance: performance.json
```
- For 11.4 and earlier the job should be defined as follows:
```yaml
performance:
stage: performance
image: docker:git
variables:
URL: https://example.com
services:
- docker:stable-dind
script:
- mkdir gitlab-exporter
- wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/1.1.0/index.js
- mkdir sitespeed-results
- docker run --shm-size=1g --rm -v "$(pwd)":/sitespeed.io sitespeedio/sitespeed.io:6.3.1 --plugins.add ./gitlab-exporter --outputFolder sitespeed-results $URL
- mv sitespeed-results/data/performance.json performance.json
artifacts:
paths:
- performance.json
- sitespeed-results/
```
Upgrading to the latest version and using the templates is recommended, to ensure
you receive the latest updates, including updates to the sitespeed.io versions.
<!-- This redirect file can be deleted after <2022-09-22>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

637
doc/user/project/merge_requests/code_quality.md
View File

@ -1,634 +1,11 @@
---
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
redirect_to: '../../../ci/testing/code_quality.md'
remove_date: '2022-08-31'
---
# Code Quality **(FREE)**
This document was moved to [another location](../../../ci/testing/code_quality.md).
> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) to GitLab Free in 13.2.
To ensure your project's code stays simple, readable, and easy to contribute to,
you can use [GitLab CI/CD](../../../ci/index.md) to analyze your source code quality.
For example, while you're implementing a feature, you can run Code Quality reports
to analyze how your improvements are impacting your code's quality. You can
use this information to ensure that your changes are improving performance rather
than degrading it.
Code Quality:
- Uses [plugins](https://docs.codeclimate.com/docs/list-of-engines) supported by Code Climate, which are
free and open source. Code Quality does not require a Code Climate
subscription.
- Runs in [pipelines](../../../ci/pipelines/index.md) by using a Docker image built in the
[GitLab Code Quality](https://gitlab.com/gitlab-org/ci-cd/codequality) project.
- Uses [default Code Climate configurations](https://gitlab.com/gitlab-org/ci-cd/codequality/-/tree/master/codeclimate_defaults).
- Can make use of a [template](#example-configuration).
- Is available by using [Auto Code Quality](../../../topics/autodevops/stages.md#auto-code-quality), provided by [Auto DevOps](../../../topics/autodevops/index.md).
- Can be extended through [Analysis Plugins](https://docs.codeclimate.com/docs/list-of-engines) or a [custom tool](#implementing-a-custom-tool).
## Summary of features per tier
Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
as shown in the following table:
| Capability | In Free | In Premium | In Ultimate |
|:----------------------------------------------------------------------|:--------------------|:--------------------|:-------------------|
| [Configure scanners](#configuring-jobs-using-variables) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [Integrate custom scanners](#implementing-a-custom-tool) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [Generate JSON or HTML report artifacts](#generate-an-html-report) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [See findings in merge request widget](#code-quality-widget) | **{check-circle}** | **{check-circle}** | **{check-circle}** |
| [See reports in CI pipelines](#code-quality-reports) | **{dotted-circle}** | **{check-circle}** | **{check-circle}** |
| [See findings in merge request diff view](#code-quality-in-diff-view) | **{dotted-circle}** | **{dotted-circle}** | **{check-circle}** |
## Code Quality Widget
> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) to GitLab Free in 13.2.
Going a step further, GitLab can show the Code Quality report right
in the merge request widget area if a report from the target branch is available to compare to:
![Code Quality Widget](img/code_quality_widget_13_11.png)
Watch a quick walkthrough of Code Quality in action:
<div class="video-fallback">
See the video: <a href="https://www.youtube.com/watch?v=B32LxtJKo9M">Code Quality: Speed Run</a>.
</div>
<figure class="video-container">
<iframe src="https://www.youtube.com/embed/B32LxtJKo9M" frameborder="0" allowfullscreen="true"> </iframe>
</figure>
NOTE:
For one customer, the auditor found that having Code Quality, SAST, and Container Scanning all automated in GitLab CI/CD was almost better than a manual review! [Read more](https://about.gitlab.com/customers/bi_worldwide/).
See also the Code Climate list of [Supported Languages for Maintainability](https://docs.codeclimate.com/docs/supported-languages-for-maintainability).
## Code Quality in diff view **(ULTIMATE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267612) in GitLab 13.11, disabled by default behind the `codequality_mr_diff` [feature flag](../../../administration/feature_flags.md).
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/284140) in GitLab 13.12.
> - [Disabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/2526) in GitLab 14.0 due to [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/334116).
> - [Inline annotation added](https://gitlab.com/gitlab-org/gitlab/-/issues/2526) and [feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/284140) in GitLab 14.1.
Changes to files in merge requests can cause Code Quality to fall if merged. In these cases,
the merge request's diff view displays an indicator next to lines with new Code Quality violations. For example:
![Code Quality MR diff report](img/code_quality_mr_diff_report_v14_2.png)
## Example configuration
This example shows how to run Code Quality on your code by using GitLab CI/CD and Docker.
- Using shared runners, the job should be configured For the [Docker-in-Docker workflow](../../../ci/docker/using_docker_build.md#use-docker-in-docker).
- Using private runners, there is an [alternative configuration](#set-up-a-private-runner-for-code-quality-without-docker-in-docker) recommended for running Code Quality analysis more efficiently.
In either configuration, the runner must have enough disk space to handle generated Code Quality files. For example on the [GitLab project](https://gitlab.com/gitlab-org/gitlab) the files are approximately 7 GB.
Once you set up GitLab Runner, include the [Code Quality template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) in your CI configuration:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
```
The above example creates a `code_quality` job in your CI/CD pipeline which
scans your source code for code quality issues. The report is saved as a
[Code Quality report artifact](../../../ci/yaml/artifacts_reports.md#artifactsreportscodequality)
that you can later download and analyze.
It's also possible to override the URL to the Code Quality image by
setting the `CODE_QUALITY_IMAGE` CI/CD variable. This is particularly useful if you want
to lock in a specific version of Code Quality, or use a fork of it:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
variables:
CODE_QUALITY_IMAGE: "registry.example.com/codequality-fork:latest"
```
In [GitLab 13.4 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/11100), you can override the [Code Quality environment variables](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables):
```yaml
variables:
TIMEOUT_SECONDS: 1
include:
- template: Code-Quality.gitlab-ci.yml
```
By default, report artifacts are not downloadable. If you need them downloadable on the
job details page, you can add `gl-code-quality-report.json` to the artifact paths like so:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
artifacts:
paths: [gl-code-quality-report.json]
```
The included `code_quality` job is running in the `test` stage, so it needs to be included in your CI configuration, like so:
```yaml
stages:
- test
```
NOTE:
This information is automatically extracted and shown right in the merge request widget.
WARNING:
On self-managed instances, if a malicious actor compromises the Code Quality job
definition they could execute privileged Docker commands on the runner
host. Having proper access control policies mitigates this attack vector by
allowing access only to trusted actors.
### Set up a private runner for code quality without Docker-in-Docker
It's possible to configure your own runners and avoid Docker-in-Docker. You can use a
configuration that may greatly speed up job execution without requiring your runners
to operate in privileged mode.
This alternative configuration uses socket binding to share the Runner's Docker daemon
with the job environment. Be aware that this configuration [has significant considerations](../../../ci/docker/using_docker_build.md#use-docker-socket-binding)
to be consider, but may be preferable depending on your use case.
1. Register a new runner:
```shell
$ gitlab-runner register --executor "docker" \
--docker-image="docker:stable" \
--url "https://gitlab.com/" \
--description "cq-sans-dind" \
--tag-list "cq-sans-dind" \
--locked="false" \
--access-level="not_protected" \
--docker-volumes "/cache"\
--docker-volumes "/builds:/builds"\
--docker-volumes "/var/run/docker.sock:/var/run/docker.sock" \
--registration-token="<project_token>" \
--non-interactive
```
1. **Optional, but recommended:** Set the builds directory to `/tmp/builds`,
so job artifacts are periodically purged from the runner host. If you skip
this step, you must clean up the default builds directory (`/builds`) yourself.
You can do this by adding the following two flags to `gitlab-runner register`
in the previous step.
```shell
--builds-dir "/tmp/builds"
--docker-volumes "/tmp/builds:/tmp/builds" # Use this instead of --docker-volumes "/builds:/builds"
```
The resulting configuration:
```toml
[[runners]]
name = "cq-sans-dind"
url = "https://gitlab.com/"
token = "<project_token>"
executor = "docker"
builds_dir = "/tmp/builds"
[runners.docker]
tls_verify = false
image = "docker:stable"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock", "/tmp/builds:/tmp/builds"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
```
1. Apply two overrides to the `code_quality` job created by the template:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind # Set this job to only run on our new specialized runner
```
The end result is that:
- Privileged mode is not used.
- Docker-in-Docker is not used.
- Docker images, including all CodeClimate images, are cached, and not re-fetched for subsequent jobs.
With this configuration, the run time for a second pipeline is much shorter. For example
this [small change](https://gitlab.com/drew/test-code-quality-template/-/merge_requests/4/diffs?commit_id=1e705607aef7236c1b20bb6f637965f3f3e53a46)
to an [open merge request](https://gitlab.com/drew/test-code-quality-template/-/merge_requests/4/pipelines)
running Code Quality analysis ran significantly faster the second time:
![Code Quality sequential runs without DinD](img/code_quality_host_bound_sequential.png)
This configuration is not possible on `gitlab.com` shared runners. Shared runners
are configured with `privileged=true`, and they do not expose `docker.sock` into
the job container. As a result, socket binding cannot be used to make `docker` available
in the context of the job script.
[Docker-in-Docker](../../../ci/docker/using_docker_build.md#use-docker-in-docker)
was chosen as an operational decision by the runner team, instead of exposing `docker.sock`.
### Disabling the code quality job
The `code_quality` job doesn't run if the `$CODE_QUALITY_DISABLED` CI/CD variable
is present. Please refer to the CI/CD variables [documentation](../../../ci/variables/index.md)
to learn more about how to define one.
To disable the `code_quality` job, add `CODE_QUALITY_DISABLED` as a custom CI/CD variable.
This can be done:
- For [the whole project](../../../ci/variables/index.md#custom-cicd-variables).
- For a single pipeline run:
1. Go to **CI/CD > Pipelines**
1. Select **Run pipeline**
1. Add `CODE_QUALITY_DISABLED` as the variable key, with any value.
### Using with merge request pipelines
The configuration provided by the Code Quality template does not let the `code_quality` job
run on [merge request pipelines](../../../ci/pipelines/merge_request_pipelines.md).
If merge request pipelines is enabled, the `code_quality:rules` must be redefined.
The template has these [`rules`](../../../ci/yaml/index.md#rules) for the `code quality` job:
```yaml
code_quality:
rules:
- if: $CODE_QUALITY_DISABLED
when: never
- if: $CI_COMMIT_TAG || $CI_COMMIT_BRANCH
```
If you are using merge request pipelines, your `rules` (or [`workflow: rules`](../../../ci/yaml/index.md#workflow))
might look like this example:
```yaml
job1:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run job1 in merge request pipelines
- if: $CI_COMMIT_BRANCH == "main" # Run job1 in pipelines on the main branch (but not in other branch pipelines)
- if: $CI_COMMIT_TAG # Run job1 in pipelines for tags
```
To make these work together, you need to overwrite the code quality `rules`
so that they match your current `rules`. From the example above, it could look like:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
rules:
- if: $CODE_QUALITY_DISABLED
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run code quality job in merge request pipelines
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # Run code quality job in pipelines on the default branch (but not in other branch pipelines)
- if: $CI_COMMIT_TAG # Run code quality job in pipelines for tags
```
### Configure Code Quality to use a private container image registry
> [Introduced](https://gitlab.com/gitlab-org/ci-cd/codequality/-/merge_requests/30) in 13.7.
To reduce network time and external dependency, you can use your own
container image registry to host the Code Quality Docker images. Because of
the nested architecture of container execution, the registry prefix must
be specifically configured to be passed down into CodeClimate's subsequent
`docker pull` commands for individual engines.
The following two variables can address all of the required image pulls:
- `CODE_QUALITY_IMAGE`: A fully prefixed image name that can be located anywhere
accessible from your job environment. GitLab Container Registry can be used here
to host your own copy.
- `CODECLIMATE_PREFIX`: The domain of your intended container image registry. This
is a configuration option supported by [CodeClimate CLI](https://github.com/codeclimate/codeclimate/pull/948). You must:
- Include a trailing slash (`/`).
- Not include a protocol prefix, such as `https://`.
```yaml
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
code_quality:
variables:
CODE_QUALITY_IMAGE: "my-private-registry.local:12345/codequality:0.85.24"
CODECLIMATE_PREFIX: "my-private-registry.local:12345/"
```
This example is specific to GitLab Code Quality. For more general
instructions on how to configure DinD with a registry mirror, see the
relevant [documentation](../../../ci/docker/using_docker_build.md#enable-registry-mirror-for-dockerdind-service).
## Configuring jobs using variables
The Code Quality job supports environment variables that users can set to
configure job execution at runtime.
For a list of available environment variables, see
[Environment variables](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables).
## Implementing a custom tool
It's possible to have a custom tool provide Code Quality reports in GitLab. To
do this:
1. Define a job in your `.gitlab-ci.yml` file that generates the
[Code Quality report artifact](../../../ci/yaml/artifacts_reports.md#artifactsreportscodequality).
1. Configure your tool to generate the Code Quality report artifact as a JSON
file that implements a subset of the [Code Climate
spec](https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types).
The Code Quality report artifact JSON file must contain an array of objects
with the following properties:
| Name | Description |
| ---------------------- | ----------------------------------------------------------------------------------------- |
| `description` | A description of the code quality violation. |
| `fingerprint` | A unique fingerprint to identify the code quality violation. For example, an MD5 hash. |
| `severity` | A severity string (can be `info`, `minor`, `major`, `critical`, or `blocker`). |
| `location.path` | The relative path to the file containing the code quality violation. |
| `location.lines.begin` or `location.positions.begin.line` | The line on which the code quality violation occurred. |
Example:
```json
[
{
"description": "'unused' is assigned a value but never used.",
"fingerprint": "7815696ecbf1c96e6894b779456d330e",
"severity": "minor",
"location": {
"path": "lib/index.js",
"lines": {
"begin": 42
}
}
}
]
```
NOTE:
Although the Code Climate spec supports more properties, those are ignored by
GitLab.
The GitLab parser does not allow a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark)
at the beginning of the file.
## Code Quality reports **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/21527) in GitLab 12.9.
![Code Quality Report](img/code_quality_report_13_11.png)
After the Code Quality job completes:
- Potential changes to code quality are shown directly in the merge request.
The Code Quality widget in the merge request compares the reports from the base and head of the branch,
then lists any violations that are resolved or created when the branch is merged.
- The full JSON report is available as a
[downloadable artifact](../../../ci/pipelines/job_artifacts.md#download-job-artifacts)
for the `code_quality` job.
- The full list of code quality violations generated by a pipeline is shown in the
Code Quality tab of the Pipeline Details page.
## Generate an HTML report
In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/ci-cd/codequality/-/issues/10),
it is possible to generate an HTML report file by setting the `REPORT_FORMAT`
CI/CD variable to `html`. This is useful if you just want to view the report in a more
human-readable format or to publish this artifact on GitLab Pages for even
easier reviewing.
To generate both JSON and HTML report files, add another job to your template by using `extends: code_quality`:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality_html:
extends: code_quality
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
```
NOTE:
Adding a job means your code is scanned twice: once to generate a JSON report and once to generate an HTML report.
You can also generate _only_ an HTML report instead of the standard JSON report. To do so, set `REPORT_FORMAT` to `html` in the existing job:
```yaml
include:
- template: Code-Quality.gitlab-ci.yml
code_quality:
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
```
WARNING:
If you only generate an HTML report, you can't see your results in the [merge request widget](#code-quality-widget), [pipeline report](#code-quality-reports), or [diff view](#code-quality-in-diff-view).
These features require a JSON report.
## Extending functionality
### Using Analysis Plugins
Should there be a need to extend the default functionality provided by Code Quality, as stated in [Code Quality](#code-quality), [Analysis Plugins](https://docs.codeclimate.com/docs/list-of-engines) are available.
For example, to use the [SonarJava analyzer](https://docs.codeclimate.com/docs/sonar-java),
add a file named `.codeclimate.yml` containing the [enablement code](https://docs.codeclimate.com/docs/sonar-java#enable-the-plugin)
for the plugin to the root of your repository:
```yaml
version: "2"
plugins:
sonar-java:
enabled: true
```
This adds SonarJava to the `plugins:` section of the [default `.codeclimate.yml`](https://gitlab.com/gitlab-org/ci-cd/codequality/-/blob/master/codeclimate_defaults/.codeclimate.yml.template)
included in your project.
Changes to the `plugins:` section do not affect the `exclude_patterns` section of the
default `.codeclimate.yml`. See the Code Climate documentation for
[excluding files and folders](https://docs.codeclimate.com/docs/excluding-files-and-folders)
for more details.
Here's [an example project](https://gitlab.com/jheimbuck_gl/jh_java_example_project) that uses Code Quality with a `.codeclimate.yml` file.
## Use a Code Quality image hosted in a registry with untrusted certificates
If you set the `CODE_QUALITY_IMAGE` to an image that is hosted in a
Docker registry which uses a TLS certificate that is not trusted, such as
a self-signed certificate, you can see errors like the one below:
```shell
$ docker pull --quiet "$CODE_QUALITY_IMAGE"
Error response from daemon: Get https://gitlab.example.com/v2/: x509: certificate signed by unknown authority
```
To fix this, configure the Docker daemon to [trust certificates](https://docs.docker.com/registry/insecure/#use-self-signed-certificates)
by putting the certificate inside of the `/etc/docker/certs.d`
directory.
This Docker daemon is exposed to the subsequent Code Quality Docker container in the
[GitLab Code Quality template](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.8.3-ee/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml#L41)
and should be to exposed any other containers in which you want to have
your certificate configuration apply.
### Docker
If you have access to GitLab Runner configuration, add the directory as a
[volume mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section). For example:
```toml
[[runners]]
...
executor = "docker"
[runners.docker]
...
privileged = true
volumes = ["/cache", "/etc/gitlab-runner/certs/gitlab.example.com.crt:/etc/docker/certs.d/gitlab.example.com/ca.crt:ro"]
```
Replace `gitlab.example.com` with the actual domain of the registry.
### Kubernetes
If you have access to GitLab Runner configuration and the Kubernetes cluster,
you can [mount a ConfigMap](https://docs.gitlab.com/runner/executors/kubernetes.html#configmap-volumes):
1. Create a ConfigMap with the certificate:
```shell
kubectl create configmap registry-crt --namespace gitlab-runner --from-file /etc/gitlab-runner/certs/gitlab.example.com.crt
```
1. Update GitLab Runner `config.toml` to specify the ConfigMap:
```toml
[[runners]]
...
executor = "kubernetes"
[runners.kubernetes]
image = "alpine:3.12"
privileged = true
[[runners.kubernetes.volumes.config_map]]
name = "registry-crt"
mount_path = "/etc/docker/certs.d/gitlab.example.com/ca.crt"
sub_path = "gitlab.example.com.crt"
```
Replace `gitlab.example.com` with the actual domain of the registry.
## Troubleshooting
### Changing the default configuration has no effect
A common issue is that the terms `Code Quality` (GitLab specific) and `Code Climate`
(Engine used by GitLab) are very similar. You must add a **`.codeclimate.yml`** file
to change the default configuration, **not** a `.codequality.yml` file. If you use
the wrong filename, the [default `.codeclimate.yml`](https://gitlab.com/gitlab-org/ci-cd/codequality/-/blob/master/codeclimate_defaults/.codeclimate.yml.template)
is still used.
### No Code Quality report is displayed in a merge request
This can be due to multiple reasons:
- You just added the Code Quality job in your `.gitlab-ci.yml`. The report does not
have anything to compare to yet, so no information can be displayed. It only displays
after future merge requests have something to compare to.
- Your pipeline is not set to run the code quality job on your target branch. If there is no report generated from the target branch, your MR branch reports have nothing to compare to. In this situation you will see an error stating `Base pipeline codequality artifact not found`.
- If no [degradation or error is detected](https://docs.codeclimate.com/docs/maintainability#section-checks),
nothing is displayed.
- The [`artifacts:expire_in`](../../../ci/yaml/index.md#artifactsexpire_in) CI/CD
setting can cause the Code Quality artifacts to expire faster than desired.
- The widgets use the pipeline of the latest commit to the target branch. If commits are made to the default branch that do not run the code quality job, this may cause the merge request widget to have no base report for comparison.
- If you use the [`REPORT_STDOUT` environment variable](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables), no report file is generated and nothing displays in the merge request.
- Large `gl-code-quality-report.json` files (esp. >10 MB) are [known to prevent the report from being displayed](https://gitlab.com/gitlab-org/gitlab/-/issues/2737).
As a work-around, try removing [properties](https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types)
that are [ignored by GitLab](#implementing-a-custom-tool). You can:
- Configure the Code Quality tool to not output those types.
- Use `sed`, `awk` or similar commands in the `.gitlab-ci.yml` script to
edit the `gl-code-quality-report.json` before the job completes.
### Only a single Code Quality report is displayed, but more are defined
GitLab only uses the Code Quality artifact from the latest created job (with the largest job ID).
If multiple jobs in a pipeline generate a code quality artifact, those of earlier jobs are ignored.
To avoid confusion, configure only one job to generate a `gl-code-quality-report.json`.
### RuboCop errors
When using Code Quality jobs on a Ruby project, you can encounter problems running RuboCop.
For example, the following error can appear when using either a very recent or very old version
of Ruby:
```plaintext
/usr/local/bundle/gems/rubocop-0.52.1/lib/rubocop/config.rb:510:in `check_target_ruby':
Unknown Ruby version 2.7 found in `.ruby-version`. (RuboCop::ValidationError)
Supported versions: 2.1, 2.2, 2.3, 2.4, 2.5
```
This is caused by the default version of RuboCop used by the check engine not covering
support for the Ruby version in use.
To use a custom version of RuboCop that
[supports the version of Ruby used by the project](https://docs.rubocop.org/rubocop/compatibility.html#support-matrix),
you can [override the configuration through a `.codeclimate.yml` file](https://docs.codeclimate.com/docs/rubocop#using-rubocops-newer-versions)
created in the project repository.
For example, to specify using RuboCop release **0.67**:
```yaml
version: "2"
plugins:
rubocop:
enabled: true
channel: rubocop-0-67
```
### No Code Quality appears on merge requests when using custom tool
If your merge requests do not show any code quality changes when using a custom tool,
ensure that the line property is an `integer`.
### Code Quality CI job with Code Climate plugins enabled fails with error
If you enabled any of the Code Climate plugins, and the Code Quality CI job fails with the error
below, it's likely the job takes longer than the default timeout of 900 seconds:
```shell
error: (CC::CLI::Analyze::EngineFailure) engine pmd ran for 900 seconds and was killed
Could not analyze code quality for the repository at /code
```
To work around this problem, set `TIMEOUT_SECONDS` to a higher value in your `.gitlab.-ci.yml` file.
For example:
```yaml
variables:
TIMEOUT_SECONDS: 3600
```
<!-- This redirect file can be deleted after <2022-09-22>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

2
doc/user/project/merge_requests/index.md
View File

@ -304,7 +304,7 @@ For a software developer working in a team:
1. You checkout a new branch, and submit your changes through a merge request.
1. You gather feedback from your team.
1. You work on the implementation optimizing code with [Code Quality reports](code_quality.md).
1. You work on the implementation optimizing code with [Code Quality reports](../../../ci/testing/code_quality.md).
1. You verify your changes with [Unit test reports](../../../ci/testing/unit_test_reports.md) in GitLab CI/CD.
1. You avoid using dependencies whose license is not compatible with your project with [License Compliance reports](../../compliance/license_compliance/index.md).
1. You request the [approval](approvals/index.md) from your manager.

2
doc/user/project/merge_requests/load_performance_testing.md
View File

@ -15,7 +15,7 @@ GitLab uses [k6](https://k6.io/), a free and open source
tool, for measuring the system performance of applications under
load.
Unlike [Browser Performance Testing](browser_performance_testing.md), which is
Unlike [Browser Performance Testing](../../../ci/testing/browser_performance_testing.md), which is
used to measure how web sites perform in client browsers, Load Performance Testing
can be used to perform various types of [load tests](https://k6.io/docs/#use-cases)
against application endpoints such as APIs, Web Controllers, and so on.

4
lib/api/award_emoji.rb
View File

@ -6,8 +6,6 @@ module API
helpers ::API::Helpers::AwardEmoji
before { authenticate! }
Helpers::AwardEmoji.awardables.each do |awardable_params|
resource awardable_params[:resource], requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
awardable_string = awardable_params[:type].pluralize
@ -82,7 +80,7 @@ module API
delete "#{endpoint}/:award_id", feature_category: awardable_params[:feature_category] do
award = awardable.award_emoji.find(params[:award_id])
unauthorized! unless award.user == current_user || current_user.admin?
unauthorized! unless award.user == current_user || current_user&.admin?
destroy_conditionally!(award)
end

5
lib/gitlab/ci/templates/Jobs/Deploy/ECS.gitlab-ci.yml
View File

@ -20,6 +20,11 @@
.review_ecs_base:
stage: review
extends: .deploy_to_ecs
after_script:
- echo "http://$(ecs get-task-hostname)" > environment_url.txt
artifacts:
paths:
- environment_url.txt
.production_ecs_base:
stage: production

6
qa/qa/runtime/feature.rb
View File

@ -59,10 +59,8 @@ module QA
feature['state'] == 'conditional' && scopes.present? && enabled_scope?(feature['gates'], **scopes)
else
# The feature wasn't found via the API so we check for a default value.
file = Pathname.new('../config/feature_flags')
.expand_path(Runtime::Path.qa_root)
.glob("**/#{key}.yml")
.first
pattern = "#{File.expand_path('../{ee/,}config/feature_flags', QA::Runtime::Path.qa_root)}/**/#{key}.yml"
file = Dir.glob(pattern).first
raise UnknownFeatureFlagError, "No feature flag found named '#{key}'" unless file

49
qa/qa/specs/features/sanity/feature_flags_spec.rb
View File

@ -20,11 +20,12 @@ module QA
describe 'feature flag definition files' do
let(:file) do
path = Pathname.new('../config/feature_flags/development').expand_path(Runtime::Path.qa_root)
path = Pathname.new("#{root}/config/feature_flags/development").expand_path(Runtime::Path.qa_root)
Tempfile.new(%w[ff-test .yml], path)
end
let(:flag) { Pathname.new(file.path).basename('.yml').to_s }
let(:root) { '..'}
before do
definition = <<~YAML
@ -39,32 +40,44 @@ module QA
file.close!
end
context 'with a default disabled feature flag' do
let(:flag_enabled) { 'false' }
shared_examples 'gets flag value' do
context 'with a default disabled feature flag' do
let(:flag_enabled) { 'false' }
it 'reads the flag as disabled' do
expect(QA::Runtime::Feature.enabled?(flag)).to be false
it 'reads the flag as disabled' do
expect(QA::Runtime::Feature.enabled?(flag)).to be false
end
it 'reads as enabled after the flag is enabled' do
QA::Runtime::Feature.enable(flag)
expect { QA::Runtime::Feature.enabled?(flag) }.to eventually_be_truthy
end
end
it 'reads as enabled after the flag is enabled' do
QA::Runtime::Feature.enable(flag)
context 'with a default enabled feature flag' do
let(:flag_enabled) { 'true' }
expect { QA::Runtime::Feature.enabled?(flag) }.to eventually_be_truthy
it 'reads the flag as enabled' do
expect(QA::Runtime::Feature.enabled?(flag)).to be true
end
it 'reads as disabled after the flag is disabled' do
QA::Runtime::Feature.disable(flag)
expect { QA::Runtime::Feature.enabled?(flag) }.to eventually_be_falsey
end
end
end
context 'with a default enabled feature flag' do
let(:flag_enabled) { 'true' }
context 'with a CE feature flag' do
include_examples 'gets flag value'
end
it 'reads the flag as enabled' do
expect(QA::Runtime::Feature.enabled?(flag)).to be true
end
context 'with an EE feature flag' do
let(:root) { '../ee'}
it 'reads as disabled after the flag is disabled' do
QA::Runtime::Feature.disable(flag)
expect { QA::Runtime::Feature.enabled?(flag) }.to eventually_be_falsey
end
include_examples 'gets flag value'
end
end
end

29
spec/controllers/import/bitbucket_controller_spec.rb
View File

@ -45,18 +45,21 @@ RSpec.describe Import::BitbucketController do
end
context "when auth state param is valid" do
let(:expires_at) { Time.current + 1.day }
let(:expires_in) { 1.day }
let(:access_token) do
double(token: token,
secret: secret,
expires_at: expires_at,
expires_in: expires_in,
refresh_token: refresh_token)
end
before do
session[:bitbucket_auth_state] = 'state'
end
it "updates access token" do
expires_at = Time.current + 1.day
expires_in = 1.day
access_token = double(token: token,
secret: secret,
expires_at: expires_at,
expires_in: expires_in,
refresh_token: refresh_token)
allow_any_instance_of(OAuth2::Client)
.to receive(:get_token)
.with(hash_including(
@ -75,6 +78,18 @@ RSpec.describe Import::BitbucketController do
expect(session[:bitbucket_expires_in]).to eq(expires_in)
expect(controller).to redirect_to(status_import_bitbucket_url)
end
it "passes namespace_id query param to status if provided" do
namespace_id = 30
allow_any_instance_of(OAuth2::Client)
.to receive(:get_token)
.and_return(access_token)
get :callback, params: { code: code, state: 'state', namespace_id: namespace_id }
expect(controller).to redirect_to(status_import_bitbucket_url(namespace_id: namespace_id))
end
end
end

5
spec/controllers/import/github_controller_spec.rb
View File

@ -83,11 +83,10 @@ RSpec.describe Import::GithubController do
expect(flash[:alert]).to eq('Access denied to your GitHub account.')
end
it "includes namespace_id from session if it is present" do
it "includes namespace_id from query params if it is present" do
namespace_id = 1
session[:namespace_id] = 1
get :callback, params: { state: valid_auth_state }
get :callback, params: { state: valid_auth_state, namespace_id: namespace_id }
expect(controller).to redirect_to(status_import_github_url(namespace_id: namespace_id))
end

40
spec/controllers/import/gitlab_controller_spec.rb
View File

@ -38,21 +38,47 @@ RSpec.describe Import::GitlabController do
expect(controller.send(:importable_repos)).to be_an_instance_of(Array)
end
it "passes namespace_id query param to status if provided" do
namespace_id = 30
allow_next_instance_of(Gitlab::GitlabImport::Client) do |instance|
allow(instance).to receive(:get_token).and_return(token)
end
get :callback, params: { namespace_id: namespace_id }
expect(controller).to redirect_to(status_import_gitlab_url(namespace_id: namespace_id))
end
end
describe "GET status" do
let(:repo_fake) { Struct.new(:id, :path, :path_with_namespace, :web_url, keyword_init: true) }
let(:repo) { repo_fake.new(id: 1, path: 'vim', path_with_namespace: 'asd/vim', web_url: 'https://gitlab.com/asd/vim') }
before do
assign_session_token
context 'when session contains access token' do
before do
assign_session_token
end
it_behaves_like 'import controller status' do
let(:repo_id) { repo.id }
let(:import_source) { repo.path_with_namespace }
let(:provider_name) { 'gitlab' }
let(:client_repos_field) { :projects }
end
end
it_behaves_like 'import controller status' do
let(:repo_id) { repo.id }
let(:import_source) { repo.path_with_namespace }
let(:provider_name) { 'gitlab' }
let(:client_repos_field) { :projects }
it 'redirects to auth if session does not contain access token' do
remote_gitlab_url = 'https://test.host/auth/gitlab'
allow(Gitlab::GitlabImport::Client)
.to receive(:new)
.and_return(double(authorize_url: remote_gitlab_url))
get :status
expect(response).to redirect_to(remote_gitlab_url)
end
end

2
spec/features/file_uploads/multipart_invalid_uploads_spec.rb
View File

@ -44,7 +44,7 @@ RSpec.describe 'Invalid uploads that must be rejected', :api, :js do
# These keys are rejected directly by rack itself.
# The request will not be received by multipart.rb (can't use the 'handling file uploads' shared example)
it_behaves_like 'rejecting invalid keys', key_name: 'x' * 11000, message: 'Puma caught this error: exceeded available parameter key space (RangeError)'
it_behaves_like 'rejecting invalid keys', key_name: 'x' * 11000
it_behaves_like 'rejecting invalid keys', key_name: 'package[]test', status: 400, message: 'Bad Request'
it_behaves_like 'handling file uploads', 'by rejecting uploads with an invalid key'

12
spec/frontend/emoji/awards_app/store/actions_spec.js
View File

@ -8,10 +8,6 @@ jest.mock('@sentry/browser');
jest.mock('~/vue_shared/plugins/global_toast');
describe('Awards app actions', () => {
afterEach(() => {
window.gon = {};
});
describe('setInitialData', () => {
it('commits SET_INITIAL_DATA', async () => {
await testAction(
@ -52,8 +48,6 @@ describe('Awards app actions', () => {
});
it('commits FETCH_AWARDS_SUCCESS', async () => {
window.gon.current_user_id = 1;
await testAction(
actions.fetchAwards,
'1',
@ -62,10 +56,6 @@ describe('Awards app actions', () => {
[{ type: 'fetchAwards', payload: '2' }],
);
});
it('does not commit FETCH_AWARDS_SUCCESS when user signed out', async () => {
await testAction(actions.fetchAwards, '1', { path: '/awards' }, [], []);
});
});
});
@ -75,8 +65,6 @@ describe('Awards app actions', () => {
});
it('calls Sentry.captureException', async () => {
window.gon = { current_user_id: 1 };
await testAction(actions.fetchAwards, null, { path: '/awards' }, [], [], () => {
expect(Sentry.captureException).toHaveBeenCalled();
});

129
spec/requests/api/award_emoji_spec.rb
View File

@ -3,8 +3,8 @@
require 'spec_helper'
RSpec.describe API::AwardEmoji do
let_it_be_with_reload(:project) { create(:project, :private) }
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project) }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:award_emoji) { create(:award_emoji, awardable: issue, user: user) }
let_it_be(:note) { create(:note, project: project, noteable: issue) }
@ -16,6 +16,28 @@ RSpec.describe API::AwardEmoji do
project.add_maintainer(user)
end
shared_examples 'request with insufficient permissions' do |request_method|
let(:request_params) { {} }
context 'when user is not signed in' do
it 'returns 404' do
process request_method, api(request_path), params: request_params
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when user does not have access' do
it 'returns 404' do
other_user = create(:user)
process request_method, api(request_path, other_user), params: request_params
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
describe "GET /projects/:id/awardable/:awardable_id/award_emoji" do
context 'on an issue' do
it "returns an array of award_emoji" do
@ -74,14 +96,22 @@ RSpec.describe API::AwardEmoji do
end
end
context 'when the user has no access' do
it 'returns a status code 404' do
user1 = create(:user)
get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/award_emoji", user1)
expect(response).to have_gitlab_http_status(:not_found)
context 'when unauthenticated and project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns the awarded emoji' do
get api("/projects/#{project.id}/issues/#{issue.iid}/award_emoji")
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_an Array
expect(json_response.first['name']).to eq(award_emoji.name)
end
end
it_behaves_like 'request with insufficient permissions', :get do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/award_emoji" }
end
end
@ -95,6 +125,24 @@ RSpec.describe API::AwardEmoji do
expect(json_response).to be_an Array
expect(json_response.first['name']).to eq(rocket.name)
end
context 'when unauthenticated and project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns the awarded emoji' do
get api("/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji")
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_an Array
expect(json_response.first['name']).to eq(rocket.name)
end
end
it_behaves_like 'request with insufficient permissions', :get do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji" }
end
end
describe "GET /projects/:id/awardable/:awardable_id/award_emoji/:award_id" do
@ -140,14 +188,23 @@ RSpec.describe API::AwardEmoji do
end
end
context 'when the user has no access' do
it 'returns a status code 404' do
user1 = create(:user)
get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/award_emoji/#{downvote.id}", user1)
expect(response).to have_gitlab_http_status(:not_found)
context 'when unauthenticated and project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns the awarded emoji' do
get api("/projects/#{project.id}/issues/#{issue.iid}/award_emoji/#{award_emoji.id}", user)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['name']).to eq(award_emoji.name)
expect(json_response['awardable_id']).to eq(issue.id)
expect(json_response['awardable_type']).to eq("Issue")
end
end
it_behaves_like 'request with insufficient permissions', :get do
let(:request_path) { "/projects/#{project.id}/merge_requests/#{merge_request.iid}/award_emoji/#{downvote.id}" }
end
end
@ -161,6 +218,24 @@ RSpec.describe API::AwardEmoji do
expect(json_response).not_to be_an Array
expect(json_response['name']).to eq(rocket.name)
end
context 'when unauthenticated and project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns the awarded emoji' do
get api("/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji/#{rocket.id}")
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).not_to be_an Array
expect(json_response['name']).to eq(rocket.name)
end
end
it_behaves_like 'request with insufficient permissions', :get do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji/#{rocket.id}" }
end
end
describe "POST /projects/:id/awardable/:awardable_id/award_emoji" do
@ -189,10 +264,10 @@ RSpec.describe API::AwardEmoji do
expect(response).to have_gitlab_http_status(:bad_request)
end
it "returns a 401 unauthorized error if the user is not authenticated" do
it "returns a 404 if the user is not authenticated" do
post api("/projects/#{project.id}/issues/#{issue.iid}/award_emoji"), params: { name: 'thumbsup' }
expect(response).to have_gitlab_http_status(:unauthorized)
expect(response).to have_gitlab_http_status(:not_found)
end
it "normalizes +1 as thumbsup award" do
@ -223,6 +298,11 @@ RSpec.describe API::AwardEmoji do
expect(json_response['user']['username']).to eq(user.username)
end
end
it_behaves_like 'request with insufficient permissions', :post do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/award_emoji" }
let(:request_params) { { name: 'blowfish' } }
end
end
describe "POST /projects/:id/awardable/:awardable_id/notes/:note_id/award_emoji" do
@ -260,6 +340,11 @@ RSpec.describe API::AwardEmoji do
expect(json_response["message"]).to match("has already been taken")
end
end
it_behaves_like 'request with insufficient permissions', :post do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji" }
let(:request_params) { { name: 'rocket' } }
end
end
describe 'DELETE /projects/:id/awardable/:awardable_id/award_emoji/:award_id' do
@ -319,9 +404,13 @@ RSpec.describe API::AwardEmoji do
let(:request) { api("/projects/#{project.id}/snippets/#{snippet.id}/award_emoji/#{award.id}", user) }
end
end
it_behaves_like 'request with insufficient permissions', :delete do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/award_emoji/#{award_emoji.id}" }
end
end
describe 'DELETE /projects/:id/awardable/:awardable_id/award_emoji/:award_emoji_id' do
describe 'DELETE /projects/:id/awardable/:awardable_id/notes/:note_id/award_emoji/:award_id' do
let!(:rocket) { create(:award_emoji, awardable: note, name: 'rocket', user: user) }
it 'deletes the award' do
@ -335,5 +424,9 @@ RSpec.describe API::AwardEmoji do
it_behaves_like '412 response' do
let(:request) { api("/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji/#{rocket.id}", user) }
end
it_behaves_like 'request with insufficient permissions', :delete do
let(:request_path) { "/projects/#{project.id}/issues/#{issue.iid}/notes/#{note.id}/award_emoji/#{rocket.id}" }
end
end
end

7
workhorse/internal/testhelper/testhelper.go
View File

@ -154,6 +154,13 @@ type UploadClaims struct {
jwt.RegisteredClaims
}
func GetUploadParams(t testing.TB, r *http.Request, name string) map[string]string {
t.Helper()
token, err := jwt.ParseWithClaims(r.PostFormValue(name+".gitlab-workhorse-upload"), &UploadClaims{}, ParseJWT)
require.NoError(t, err)
return token.Claims.(*UploadClaims).Upload
}
func Retry(t testing.TB, timeout time.Duration, fn func() error) {
t.Helper()
start := time.Now()

5
workhorse/internal/upload/artifacts_store_test.go
View File

@ -84,8 +84,9 @@ func TestUploadHandlerSendingToExternalStorage(t *testing.T) {
responseProcessorCalled := 0
responseProcessor := func(w http.ResponseWriter, r *http.Request) {
require.Equal(t, "store-id", r.FormValue("file.remote_id"))
require.NotEmpty(t, r.FormValue("file.remote_url"))
fileParams := testhelper.GetUploadParams(t, r, "file")
require.Equal(t, "store-id", fileParams["remote_id"])
require.NotEmpty(t, fileParams["remote_url"])
w.WriteHeader(200)
responseProcessorCalled++
}

15
workhorse/internal/upload/artifacts_upload_test.go
View File

@ -65,26 +65,31 @@ func testArtifactsUploadServer(t *testing.T, authResponse *api.Response, bodyPro
if r.Method != "POST" {
t.Fatal("Expected POST request")
}
fileParams := testhelper.GetUploadParams(t, r, "file")
if opts.IsLocalTempFile() {
if r.FormValue("file.path") == "" {
fPath := fileParams["path"]
if fPath == "" {
t.Fatal("Expected file to be present")
return
}
_, err := os.ReadFile(r.FormValue("file.path"))
_, err := os.ReadFile(fPath)
if err != nil {
t.Fatal("Expected file to be readable")
return
}
} else {
if r.FormValue("file.remote_url") == "" {
if fileParams["remote_url"] == "" {
t.Fatal("Expected file to be remote accessible")
return
}
}
if r.FormValue("metadata.path") != "" {
metadata, err := os.ReadFile(r.FormValue("metadata.path"))
if r.FormValue("metadata.gitlab-workhorse-upload") != "" {
metadataParams := testhelper.GetUploadParams(t, r, "metadata")
metadata, err := os.ReadFile(metadataParams["path"])
if err != nil {
t.Fatal("Expected metadata to be readable")
return

25
workhorse/internal/upload/body_uploader_test.go
View File

@ -92,15 +92,16 @@ func echoProxy(t *testing.T, expectedBodyLength int) http.Handler {
require.Equal(t, "application/x-www-form-urlencoded", r.Header.Get("Content-Type"), "Wrong Content-Type header")
require.Contains(t, r.PostForm, "file.md5")
require.Contains(t, r.PostForm, "file.sha1")
require.Contains(t, r.PostForm, "file.sha256")
require.Contains(t, r.PostForm, "file.sha512")
fileParams := testhelper.GetUploadParams(t, r, "file")
require.Contains(t, fileParams, "md5")
require.Contains(t, fileParams, "sha1")
require.Contains(t, fileParams, "sha256")
require.Contains(t, fileParams, "sha512")
require.Contains(t, r.PostForm, "file.path")
require.Contains(t, r.PostForm, "file.size")
require.Contains(t, r.PostForm, "file.gitlab-workhorse-upload")
require.Equal(t, strconv.Itoa(expectedBodyLength), r.PostFormValue("file.size"))
require.Contains(t, fileParams, "path")
require.Contains(t, fileParams, "size")
require.Equal(t, strconv.Itoa(expectedBodyLength), fileParams["size"])
token, err := jwt.ParseWithClaims(r.Header.Get(RewrittenFieldsHeader), &MultipartClaims{}, testhelper.ParseJWT)
require.NoError(t, err, "Wrong JWT header")
@ -110,10 +111,7 @@ func echoProxy(t *testing.T, expectedBodyLength int) http.Handler {
t.Fatalf("Unexpected rewritten_fields value: %v", rewrittenFields)
}
token, jwtErr := jwt.ParseWithClaims(r.PostFormValue("file.gitlab-workhorse-upload"), &testhelper.UploadClaims{}, testhelper.ParseJWT)
require.NoError(t, jwtErr, "Wrong signed upload fields")
uploadFields := token.Claims.(*testhelper.UploadClaims).Upload
uploadFields := testhelper.GetUploadParams(t, r, "file")
require.Contains(t, uploadFields, "name")
require.Contains(t, uploadFields, "path")
require.Contains(t, uploadFields, "remote_url")
@ -124,9 +122,10 @@ func echoProxy(t *testing.T, expectedBodyLength int) http.Handler {
require.Contains(t, uploadFields, "sha256")
require.Contains(t, uploadFields, "sha512")
path := r.PostFormValue("file.path")
path := uploadFields["path"]
uploaded, err := os.Open(path)
require.NoError(t, err, "File not uploaded")
defer uploaded.Close()
//sending back the file for testing purpose
io.Copy(w, uploaded)

27
workhorse/internal/upload/destination/destination.go
View File

@ -68,42 +68,31 @@ func (fh *FileHandler) MD5() string {
// GitLabFinalizeFields returns a map with all the fields GitLab Rails needs in order to finalize the upload.
func (fh *FileHandler) GitLabFinalizeFields(prefix string) (map[string]string, error) {
// TODO: remove `data` these once rails fully and exclusively support `signedData` (https://gitlab.com/gitlab-org/gitlab/-/issues/324873)
data := make(map[string]string)
signedData := make(map[string]string)
key := func(field string) string {
if prefix == "" {
return field
}
return fmt.Sprintf("%s.%s", prefix, field)
}
for k, v := range map[string]string{
signedData := map[string]string{
"name": fh.Name,
"path": fh.LocalPath,
"remote_url": fh.RemoteURL,
"remote_id": fh.RemoteID,
"size": strconv.FormatInt(fh.Size, 10),
"upload_duration": strconv.FormatFloat(fh.uploadDuration, 'f', -1, 64),
} {
data[key(k)] = v
signedData[k] = v
}
for hashName, hash := range fh.hashes {
data[key(hashName)] = hash
signedData[hashName] = hash
}
claims := uploadClaims{Upload: signedData, RegisteredClaims: secret.DefaultClaims}
claims := uploadClaims{
Upload: signedData,
RegisteredClaims: secret.DefaultClaims,
}
jwtData, err := secret.JWTTokenString(claims)
if err != nil {
return nil, err
}
data[key("gitlab-workhorse-upload")] = jwtData
return data, nil
return map[string]string{
prefix + ".gitlab-workhorse-upload": jwtData,
}, nil
}
type consumer interface {

35
workhorse/internal/upload/destination/destination_test.go
View File

@ -3,7 +3,6 @@ package destination_test
import (
"context"
"errors"
"fmt"
"os"
"path"
"strconv"
@ -220,14 +219,21 @@ func TestUpload(t *testing.T) {
fields, err := fh.GitLabFinalizeFields("file")
require.NoError(t, err)
checkFileHandlerWithFields(t, fh, fields, "file")
token, jwtErr := jwt.ParseWithClaims(fields["file.gitlab-workhorse-upload"], &testhelper.UploadClaims{}, testhelper.ParseJWT)
require.NoError(t, jwtErr)
uploadFields := token.Claims.(*testhelper.UploadClaims).Upload
checkFileHandlerWithFields(t, fh, uploadFields, "")
require.Equal(t, fh.Name, uploadFields["name"])
require.Equal(t, fh.LocalPath, uploadFields["path"])
require.Equal(t, fh.RemoteURL, uploadFields["remote_url"])
require.Equal(t, fh.RemoteID, uploadFields["remote_id"])
require.Equal(t, strconv.FormatInt(test.ObjectSize, 10), uploadFields["size"])
require.Equal(t, test.ObjectMD5, uploadFields["md5"])
require.Equal(t, test.ObjectSHA1, uploadFields["sha1"])
require.Equal(t, test.ObjectSHA256, uploadFields["sha256"])
require.Equal(t, test.ObjectSHA512, uploadFields["sha512"])
require.NotEmpty(t, uploadFields["upload_duration"])
})
}
}
@ -463,24 +469,3 @@ func TestUploadRemoteFileWithLimit(t *testing.T) {
})
}
}
func checkFileHandlerWithFields(t *testing.T, fh *destination.FileHandler, fields map[string]string, prefix string) {
key := func(field string) string {
if prefix == "" {
return field
}
return fmt.Sprintf("%s.%s", prefix, field)
}
require.Equal(t, fh.Name, fields[key("name")])
require.Equal(t, fh.LocalPath, fields[key("path")])
require.Equal(t, fh.RemoteURL, fields[key("remote_url")])
require.Equal(t, fh.RemoteID, fields[key("remote_id")])
require.Equal(t, strconv.FormatInt(test.ObjectSize, 10), fields[key("size")])
require.Equal(t, test.ObjectMD5, fields[key("md5")])
require.Equal(t, test.ObjectSHA1, fields[key("sha1")])
require.Equal(t, test.ObjectSHA256, fields[key("sha256")])
require.Equal(t, test.ObjectSHA512, fields[key("sha512")])
require.NotEmpty(t, fields[key("upload_duration")])
}

40
workhorse/internal/upload/uploads_test.go
View File

@ -89,14 +89,16 @@ func TestUploadHandlerRewritingMultiPartData(t *testing.T) {
require.Empty(t, r.MultipartForm.File, "Expected to not receive any files")
require.Equal(t, "test", r.FormValue("token"), "Expected to receive token")
require.Equal(t, "my.file", r.FormValue("file.name"), "Expected to receive a filename")
filePath = r.FormValue("file.path")
fileParams := testhelper.GetUploadParams(t, r, "file")
require.Equal(t, "my.file", fileParams["name"], "Expected to receive a filename")
filePath = fileParams["path"]
require.True(t, strings.HasPrefix(filePath, tempPath), "Expected to the file to be in tempPath")
require.Empty(t, r.FormValue("file.remote_url"), "Expected to receive empty remote_url")
require.Empty(t, r.FormValue("file.remote_id"), "Expected to receive empty remote_id")
require.Equal(t, "4", r.FormValue("file.size"), "Expected to receive the file size")
require.Empty(t, fileParams["remote_url"], "Expected to receive empty remote_url")
require.Empty(t, fileParams["remote_id"], "Expected to receive empty remote_id")
require.Equal(t, "4", fileParams["size"], "Expected to receive the file size")
hashes := map[string]string{
"md5": "098f6bcd4621d373cade4e832627b4f6",
@ -106,10 +108,10 @@ func TestUploadHandlerRewritingMultiPartData(t *testing.T) {
}
for algo, hash := range hashes {
require.Equal(t, hash, r.FormValue("file."+algo), "file hash %s", algo)
require.Equal(t, hash, fileParams[algo], "file hash %s", algo)
}
require.Len(t, r.MultipartForm.Value, 12, "multipart form values")
require.Len(t, fileParams, 10, "multipart form values")
w.WriteHeader(202)
fmt.Fprint(w, "RESPONSE")
@ -147,7 +149,7 @@ func TestUploadHandlerRewritingMultiPartData(t *testing.T) {
}
func TestUploadHandlerDetectingInjectedMultiPartData(t *testing.T) {
var filePath string
testhelper.ConfigureSecret()
tests := []struct {
name string
@ -155,13 +157,8 @@ func TestUploadHandlerDetectingInjectedMultiPartData(t *testing.T) {
response int
}{
{
name: "injected file.path",
field: "file.path",
response: 400,
},
{
name: "injected file.remote_id",
field: "file.remote_id",
name: "injected file.gitlab-workhorse-upload",
field: "file.gitlab-workhorse-upload",
response: 400,
},
{
@ -194,6 +191,7 @@ func TestUploadHandlerDetectingInjectedMultiPartData(t *testing.T) {
require.NoError(t, err)
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
httpRequest = httpRequest.WithContext(ctx)
httpRequest.Header.Set("Content-Type", writer.FormDataContentType())
response := httptest.NewRecorder()
@ -202,9 +200,6 @@ func TestUploadHandlerDetectingInjectedMultiPartData(t *testing.T) {
testInterceptMultipartFiles(t, response, httpRequest, handler, &testFormProcessor{})
require.Equal(t, test.response, response.Code)
cancel() // this will trigger an async cleanup
waitUntilDeleted(t, filePath)
})
}
}
@ -425,7 +420,8 @@ func TestUploadHandlerRemovingExif(t *testing.T) {
err := r.ParseMultipartForm(100000)
require.NoError(t, err)
size, err := strconv.Atoi(r.FormValue("file.size"))
fileParams := testhelper.GetUploadParams(t, r, "file")
size, err := strconv.Atoi(fileParams["size"])
require.NoError(t, err)
require.True(t, size < len(content), "Expected the file to be smaller after removal of exif")
require.True(t, size > 0, "Expected to receive not empty file")
@ -443,7 +439,8 @@ func TestUploadHandlerRemovingExifTiff(t *testing.T) {
err := r.ParseMultipartForm(100000)
require.NoError(t, err)
size, err := strconv.Atoi(r.FormValue("file.size"))
fileParams := testhelper.GetUploadParams(t, r, "file")
size, err := strconv.Atoi(fileParams["size"])
require.NoError(t, err)
require.True(t, size < len(content), "Expected the file to be smaller after removal of exif")
require.True(t, size > 0, "Expected to receive not empty file")
@ -461,7 +458,8 @@ func TestUploadHandlerRemovingExifInvalidContentType(t *testing.T) {
err := r.ParseMultipartForm(100000)
require.NoError(t, err)
output, err := os.ReadFile(r.FormValue("file.path"))
fileParams := testhelper.GetUploadParams(t, r, "file")
output, err := os.ReadFile(fileParams["path"])
require.NoError(t, err)
require.Equal(t, content, output, "Expected the file to be same as before")

26
workhorse/upload_test.go
View File

@ -81,9 +81,10 @@ func uploadTestServer(t *testing.T, authorizeTests func(r *http.Request), extraT
}
require.NoError(t, r.ParseMultipartForm(100000))
require.Len(t, r.MultipartForm.Value, 1) // Expect 1 key: "file.gitlab-workhorse-upload"
const nValues = 11 // file name, path, remote_url, remote_id, size, md5, sha1, sha256, sha512, upload_duration, gitlab-workhorse-upload for just the upload (no metadata because we are not POSTing a valid zip file)
require.Len(t, r.MultipartForm.Value, nValues)
const nValues = 10 // file name, path, remote_url, remote_id, size, md5, sha1, sha256, sha512, upload_duration (no metadata because we are not POSTing a valid zip file)
require.Len(t, testhelper.GetUploadParams(t, r, "file"), nValues)
require.Empty(t, r.MultipartForm.File, "multipart form files")
@ -174,10 +175,7 @@ func TestAcceleratedUpload(t *testing.T) {
t.Fatalf("Unexpected rewritten_fields value: %v", rewrittenFields)
}
token, jwtErr := jwt.ParseWithClaims(r.PostFormValue("file.gitlab-workhorse-upload"), &testhelper.UploadClaims{}, testhelper.ParseJWT)
require.NoError(t, jwtErr)
uploadFields := token.Claims.(*testhelper.UploadClaims).Upload
uploadFields := testhelper.GetUploadParams(t, r, "file")
require.Contains(t, uploadFields, "name")
require.Contains(t, uploadFields, "path")
require.Contains(t, uploadFields, "remote_url")
@ -339,12 +337,11 @@ func TestLfsUpload(t *testing.T) {
case resource:
expectSignedRequest(t, r)
// Expect the request to point to a file on disk containing the data
require.NoError(t, r.ParseForm())
require.Equal(t, oid, r.Form.Get("file.sha256"), "Invalid SHA256 populated")
require.Equal(t, strconv.Itoa(len(reqBody)), r.Form.Get("file.size"), "Invalid size populated")
fileParams := testhelper.GetUploadParams(t, r, "file")
require.Equal(t, oid, fileParams["sha256"], "Invalid SHA256 populated")
require.Equal(t, strconv.Itoa(len(reqBody)), fileParams["size"], "Invalid size populated")
tempfile, err := os.ReadFile(r.Form.Get("file.path"))
tempfile, err := os.ReadFile(fileParams["path"])
require.NoError(t, err)
require.Equal(t, reqBody, string(tempfile), "Temporary file has the wrong body")
@ -462,13 +459,12 @@ func packageUploadTestServer(t *testing.T, method string, resource string, reqBo
case resource:
expectSignedRequest(t, r)
// Expect the request to point to a file on disk containing the data
require.NoError(t, r.ParseForm())
fileParams := testhelper.GetUploadParams(t, r, "file")
len := strconv.Itoa(len(reqBody))
require.Equal(t, len, r.Form.Get("file.size"), "Invalid size populated")
require.Equal(t, len, fileParams["size"], "Invalid size populated")
tmpFilePath := r.Form.Get("file.path")
tmpFilePath := fileParams["path"]
fileData, err := os.ReadFile(tmpFilePath)
defer os.Remove(tmpFilePath)