diff --git a/Gemfile.lock b/Gemfile.lock index 127b4fc35aa..74ccb9dad70 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1144,9 +1144,8 @@ GEM sass-listen (4.0.0) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) - sassc (2.0.1) + sassc (2.4.0) ffi (~> 1.9) - rake sassc-rails (2.1.0) railties (>= 4.0.0) sassc (>= 2.0) diff --git a/app/assets/stylesheets/startup/startup-signin.scss b/app/assets/stylesheets/startup/startup-signin.scss index c91336b579c..c5cbe58ec27 100644 --- a/app/assets/stylesheets/startup/startup-signin.scss +++ b/app/assets/stylesheets/startup/startup-signin.scss @@ -138,10 +138,10 @@ hr { margin-right: -15px; margin-left: -15px; } -.col, -.col-sm-5, +.col-sm-12, .col-sm-7, -.col-sm-12 { +.col-sm-5, +.col { position: relative; width: 100%; padding-right: 15px; @@ -160,12 +160,12 @@ hr { } @media (min-width: 576px) { .col-sm-5 { - flex: 0 0 41.66667%; - max-width: 41.66667%; + flex: 0 0 41.6666666667%; + max-width: 41.6666666667%; } .col-sm-7 { - flex: 0 0 58.33333%; - max-width: 58.33333%; + flex: 0 0 58.3333333333%; + max-width: 58.3333333333%; } .col-sm-12 { flex: 0 0 100%; diff --git a/app/controllers/admin/broadcast_messages_controller.rb b/app/controllers/admin/broadcast_messages_controller.rb index 4660b0bfbb0..ef843a84e6c 100644 --- a/app/controllers/admin/broadcast_messages_controller.rb +++ b/app/controllers/admin/broadcast_messages_controller.rb @@ -65,6 +65,6 @@ class Admin::BroadcastMessagesController < Admin::ApplicationController target_path broadcast_type dismissable - )) + ), target_access_levels: []).reverse_merge!(target_access_levels: []) end end diff --git a/app/helpers/broadcast_messages_helper.rb b/app/helpers/broadcast_messages_helper.rb index 881e11b10ea..95e68c7e3cf 100644 --- a/app/helpers/broadcast_messages_helper.rb +++ b/app/helpers/broadcast_messages_helper.rb @@ -1,14 +1,22 @@ # frozen_string_literal: true module BroadcastMessagesHelper + include Gitlab::Utils::StrongMemoize + def current_broadcast_banner_messages - BroadcastMessage.current_banner_messages(request.path).select do |message| + BroadcastMessage.current_banner_messages( + current_path: request.path, + user_access_level: current_user_access_level_for_project_or_group + ).select do |message| cookies["hide_broadcast_message_#{message.id}"].blank? end end def current_broadcast_notification_message - not_hidden_messages = BroadcastMessage.current_notification_messages(request.path).select do |message| + not_hidden_messages = BroadcastMessage.current_notification_messages( + current_path: request.path, + user_access_level: current_user_access_level_for_project_or_group + ).select do |message| cookies["hide_broadcast_message_#{message.id}"].blank? end not_hidden_messages.last @@ -61,4 +69,31 @@ module BroadcastMessagesHelper def broadcast_type_options BroadcastMessage.broadcast_types.keys.map { |w| [w.humanize, w] } end + + def target_access_level_options + BroadcastMessage::ALLOWED_TARGET_ACCESS_LEVELS.map do |access_level| + [Gitlab::Access.human_access(access_level), access_level] + end + end + + def target_access_levels_display(access_levels) + access_levels.map do |access_level| + Gitlab::Access.human_access(access_level) + end.join(', ') + end + + private + + def current_user_access_level_for_project_or_group + return if Feature.disabled?(:role_targeted_broadcast_messages, default_enabled: :yaml) + return unless current_user.present? + + strong_memoize(:current_user_access_level_for_project_or_group) do + if controller.is_a? Projects::ApplicationController + @project&.team&.max_member_access(current_user.id) + elsif controller.is_a? Groups::ApplicationController + @group&.max_member_access_for_user(current_user) + end + end + end end diff --git a/app/models/broadcast_message.rb b/app/models/broadcast_message.rb index 1ee5c081840..90fde5f8385 100644 --- a/app/models/broadcast_message.rb +++ b/app/models/broadcast_message.rb @@ -4,12 +4,21 @@ class BroadcastMessage < ApplicationRecord include CacheMarkdownField include Sortable + ALLOWED_TARGET_ACCESS_LEVELS = [ + Gitlab::Access::GUEST, + Gitlab::Access::REPORTER, + Gitlab::Access::DEVELOPER, + Gitlab::Access::MAINTAINER, + Gitlab::Access::OWNER + ].freeze + cache_markdown_field :message, pipeline: :broadcast_message, whitelisted: true validates :message, presence: true validates :starts_at, presence: true validates :ends_at, presence: true validates :broadcast_type, presence: true + validates :target_access_levels, inclusion: { in: ALLOWED_TARGET_ACCESS_LEVELS } validates :color, allow_blank: true, color: true validates :font, allow_blank: true, color: true @@ -29,20 +38,20 @@ class BroadcastMessage < ApplicationRecord } class << self - def current_banner_messages(current_path = nil) - fetch_messages BANNER_CACHE_KEY, current_path do + def current_banner_messages(current_path: nil, user_access_level: nil) + fetch_messages BANNER_CACHE_KEY, current_path, user_access_level do current_and_future_messages.banner end end - def current_notification_messages(current_path = nil) - fetch_messages NOTIFICATION_CACHE_KEY, current_path do + def current_notification_messages(current_path: nil, user_access_level: nil) + fetch_messages NOTIFICATION_CACHE_KEY, current_path, user_access_level do current_and_future_messages.notification end end - def current(current_path = nil) - fetch_messages CACHE_KEY, current_path do + def current(current_path: nil, user_access_level: nil) + fetch_messages CACHE_KEY, current_path, user_access_level do current_and_future_messages end end @@ -63,7 +72,7 @@ class BroadcastMessage < ApplicationRecord private - def fetch_messages(cache_key, current_path) + def fetch_messages(cache_key, current_path, user_access_level) messages = cache.fetch(cache_key, as: BroadcastMessage, expires_in: cache_expires_in) do yield end @@ -74,7 +83,13 @@ class BroadcastMessage < ApplicationRecord # displaying we'll refresh the cache so we don't need to keep filtering. cache.expire(cache_key) if now_or_future != messages - now_or_future.select(&:now?).select { |message| message.matches_current_path(current_path) } + messages = now_or_future.select(&:now?) + messages = messages.select do |message| + message.matches_current_user_access_level?(user_access_level) + end + messages.select do |message| + message.matches_current_path(current_path) + end end end @@ -102,6 +117,12 @@ class BroadcastMessage < ApplicationRecord now? || future? end + def matches_current_user_access_level?(user_access_level) + return true if target_access_levels.empty? + + target_access_levels.include? user_access_level + end + def matches_current_path(current_path) return false if current_path.blank? && target_path.present? return true if current_path.blank? || target_path.blank? diff --git a/app/services/post_receive_service.rb b/app/services/post_receive_service.rb index f5638b0aa40..15c978e6763 100644 --- a/app/services/post_receive_service.rb +++ b/app/services/post_receive_service.rb @@ -86,7 +86,7 @@ class PostReceiveService banner = nil if project - scoped_messages = BroadcastMessage.current_banner_messages(project.full_path).select do |message| + scoped_messages = BroadcastMessage.current_banner_messages(current_path: project.full_path).select do |message| message.target_path.present? && message.matches_current_path(project.full_path) end diff --git a/app/views/admin/broadcast_messages/_form.html.haml b/app/views/admin/broadcast_messages/_form.html.haml index b68c22b6942..d81ebb8a2bb 100644 --- a/app/views/admin/broadcast_messages/_form.html.haml +++ b/app/views/admin/broadcast_messages/_form.html.haml @@ -55,6 +55,14 @@ = f.check_box :dismissable = f.label :dismissable do = _('Allow users to dismiss the broadcast message') + - if Feature.enabled?(:role_targeted_broadcast_messages, default_enabled: :yaml) + .form-group.row + .col-sm-2.col-form-label + = f.label :target_access_levels, _('Target roles') + .col-sm-10 + = f.select :target_access_levels, target_access_level_options, { include_hidden: false }, multiple: true, class: 'form-control' + .form-text.text-muted + = _('The broadcast message displays only to users in projects and groups who have these roles.') .form-group.row.js-toggle-colors-container.toggle-colors.hide .col-sm-2.col-form-label = f.label :font, _("Font Color") diff --git a/app/views/admin/broadcast_messages/index.html.haml b/app/views/admin/broadcast_messages/index.html.haml index 3f07bea7840..54c2a9d5250 100644 --- a/app/views/admin/broadcast_messages/index.html.haml +++ b/app/views/admin/broadcast_messages/index.html.haml @@ -1,10 +1,11 @@ - breadcrumb_title _("Messages") - page_title _("Broadcast Messages") +- targeted_broadcast_messages_enabled = Feature.enabled?(:role_targeted_broadcast_messages, default_enabled: :yaml) %h3.page-title = _('Broadcast Messages') %p.light - = _('Broadcast messages are displayed for every user and can be used to notify users about scheduled maintenance, recent upgrades and more.') + = _('Use banners and notifications to notify your users about scheduled maintenance, recent upgrades, and more.') = render 'form' @@ -19,8 +20,10 @@ %th= _('Preview') %th= _('Starts') %th= _('Ends') - %th= _(' Target Path') - %th= _(' Type') + - if targeted_broadcast_messages_enabled + %th= _('Target roles') + %th= _('Target Path') + %th= _('Type') %th   %tbody - @broadcast_messages.each do |message| @@ -33,6 +36,9 @@ = message.starts_at %td = message.ends_at + - if targeted_broadcast_messages_enabled + %td + = target_access_levels_display(message.target_access_levels) %td = message.target_path %td diff --git a/config/feature_flags/development/role_targeted_broadcast_messages.yml b/config/feature_flags/development/role_targeted_broadcast_messages.yml new file mode 100644 index 00000000000..723cab1abbb --- /dev/null +++ b/config/feature_flags/development/role_targeted_broadcast_messages.yml @@ -0,0 +1,8 @@ +--- +name: role_targeted_broadcast_messages +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77498 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351736 +milestone: '14.8' +type: development +group: group::activation +default_enabled: false diff --git a/data/deprecations/14-8-ci-build-variables.yml b/data/deprecations/14-8-ci-build-variables.yml new file mode 100644 index 00000000000..52c7ecf6c52 --- /dev/null +++ b/data/deprecations/14-8-ci-build-variables.yml @@ -0,0 +1,16 @@ +- name: "`CI_BUILD_*` predefined variables" + announcement_milestone: "14.8" + announcement_date: "2021-02-22" + removal_milestone: "15.0" + removal_date: "2022-05-22" + breaking_change: true + reporter: dhershkovitch + body: | + The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the current [`CI_JOB_*` predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are identical (except for the updated name). +# The following items are not published on the docs page, but may be used in the future. + stage: Verify + tiers: [Free, Premium, Ultimate] + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352957 + documentation_url: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html + image_url: # (optional) This is a link to a thumbnail image depicting the feature + video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg diff --git a/data/deprecations/14-8-sast-secret-analyzer-image.yml b/data/deprecations/14-8-sast-secret-analyzer-image.yml new file mode 100644 index 00000000000..b1cb5c82764 --- /dev/null +++ b/data/deprecations/14-8-sast-secret-analyzer-image.yml @@ -0,0 +1,27 @@ +- name: "Secure and Protect analyzer images published in new location" + announcement_milestone: "14.8" + announcement_date: "2022-02-22" + removal_milestone: "15.0" + removal_date: "2022-05-22" + breaking_change: true + reporter: connorgilbert + body: | # Do not modify this line, instead modify the lines below. + GitLab uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/terminology/#analyzer) to [scan for security vulnerabilities](https://docs.gitlab.com/ee/user/application_security/). + Each analyzer is distributed as a container image. + + Starting in GitLab 14.8, new versions of GitLab Secure and Protect analyzers are published to a new registry location under `registry.gitlab.com/security-products`. + + We will update the default value of [GitLab-managed CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security) to reflect this change: + + - For all analyzers except Container Scanning, we will update the variable `SECURE_ANALYZERS_PREFIX` to the new image registry location. + - For Container Scanning, the default image address is already updated. There is no `SECURE_ANALYZERS_PREFIX` variable for Container Scanning. + + In a future release, we will stop publishing images to `registry.gitlab.com/gitlab-org/security-products/analyzers`. + Once this happens, you must take action if you manually pull images and push them into a separate registry. This is commonly the case for [offline deployments](https://docs.gitlab.com/ee/user/application_security/offline_deployments/index.html). + Otherwise, you won't receive further updates. + + See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564) for more details. +# The following items are not published on the docs page, but may be used in the future. + stage: Secure + tiers: [Free, Silver, Gold, Core, Premium, Ultimate] + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352564 diff --git a/data/deprecations/JTW_v2_update.yml b/data/deprecations/JTW_v2_update.yml new file mode 100644 index 00000000000..53aa9ca2c19 --- /dev/null +++ b/data/deprecations/JTW_v2_update.yml @@ -0,0 +1,28 @@ +# This is a template for a feature deprecation +# A deprecation typically occurs when a feature or capability is planned to be removed in a future release. +# Deprecations should be announced at least two releases prior to removal. Any breaking changes should only be done in major releases. +# +# Below is an example of what a single entry should look like, it's required attributes, +# and what types we expect those attribute values to be. +# +# For more information please refer to the handbook documentation here: +# https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations +# +# Please delete this line and above before submitting your merge request. + +- name: "Changes to the `CI_JOB_JWT`" # The name of the feature to be deprecated + announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated. + announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. + removal_milestone: "15.0" # The milestone when this feature is planned to be removed + removal_date: # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. + breaking_change: true # If this deprecation is a breaking change, set this value to true + reporter: dhershkovitch # GitLab username of the person reporting the deprecation + body: | # Do not modify this line, instead modify the lines below. + The `CI_JOB_JWT` will be updated to support a wider variety of cloud providers. It will be changed to match [`CI_JOB_JWT_V2`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html), but this change may not be backwards compatible for all users, including Hashicorp Vault users. To maintain the current behavior, users can switch to using `CI_JOB_JWT_V1`, or update their configuration in GitLab 15.0 to use the improved `CI_JOB_JWT`. +# The following items are not published on the docs page, but may be used in the future. + stage: # (optional - may be required in the future) String value of the stage that the feature was created in. e.g., Growth + tiers: # (optional - may be required in the future) An array of tiers that the feature is available in currently. e.g., [Free, Silver, Gold, Core, Premium, Ultimate] + issue_url: # (optional) This is a link to the deprecation issue in GitLab + documentation_url: # (optional) This is a link to the current documentation page + image_url: # (optional) This is a link to a thumbnail image depicting the feature + video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg diff --git a/data/removals/14_0/14_0-ds-deprecations.yml b/data/removals/14_0/14_0-ds-deprecations.yml index 3d143863db5..91da10097ed 100644 --- a/data/removals/14_0/14_0-ds-deprecations.yml +++ b/data/removals/14_0/14_0-ds-deprecations.yml @@ -1,4 +1,4 @@ -- name: "Deprecations for Dependency Scanning" +- name: "Dependency Scanning" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: nicoleschwartz diff --git a/data/removals/14_0/14_0-lc-deprecations.yml b/data/removals/14_0/14_0-lc-deprecations.yml index 5ca4836038d..6322b102ec5 100644 --- a/data/removals/14_0/14_0-lc-deprecations.yml +++ b/data/removals/14_0/14_0-lc-deprecations.yml @@ -1,4 +1,4 @@ -- name: "Removals for License Compliance" +- name: "License Compliance" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: nicoleschwartz diff --git a/data/removals/14_0/create-code-review-w-parameter-removal.yml b/data/removals/14_0/create-code-review-w-parameter-removal.yml index 051849a8335..3adec30a1e7 100644 --- a/data/removals/14_0/create-code-review-w-parameter-removal.yml +++ b/data/removals/14_0/create-code-review-w-parameter-removal.yml @@ -1,4 +1,4 @@ -- name: "Remove `?w=1` URL parameter to ignore whitespace changes" +- name: "`?w=1` URL parameter to ignore whitespace changes" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: phikai diff --git a/data/removals/14_0/deprecation_bump_terraform_template_version.yml b/data/removals/14_0/deprecation_bump_terraform_template_version.yml index 1ea463e0df8..253dd81e9ea 100644 --- a/data/removals/14_0/deprecation_bump_terraform_template_version.yml +++ b/data/removals/14_0/deprecation_bump_terraform_template_version.yml @@ -1,4 +1,4 @@ -- name: "New Terraform template version" +- name: "Terraform template version" removal_date: "2021-06-22" removal_milestone: "14.0" # example issue_url: "" diff --git a/data/removals/14_0/deprecation_update_cicd_templates_to_stop_using_hardcode_master.yml b/data/removals/14_0/deprecation_update_cicd_templates_to_stop_using_hardcode_master.yml index b54c135a035..4df59321bc5 100644 --- a/data/removals/14_0/deprecation_update_cicd_templates_to_stop_using_hardcode_master.yml +++ b/data/removals/14_0/deprecation_update_cicd_templates_to_stop_using_hardcode_master.yml @@ -1,4 +1,4 @@ -- name: "Update CI/CD templates to stop using hardcoded `master`" +- name: "Hardcoded `master` in CI/CD templates" reporter: dhershkovitch removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/deuley_servicetemplates_removal.yml b/data/removals/14_0/deuley_servicetemplates_removal.yml index 3728b6b9e66..bbc70d98562 100644 --- a/data/removals/14_0/deuley_servicetemplates_removal.yml +++ b/data/removals/14_0/deuley_servicetemplates_removal.yml @@ -1,4 +1,4 @@ -- name: "Service Templates removed" +- name: "Service Templates" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deuley diff --git a/data/removals/14_0/release_announce_deprecation_of_release_notes_api.yml b/data/removals/14_0/release_announce_deprecation_of_release_notes_api.yml index 6a04a49afa1..d7e12a89f14 100644 --- a/data/removals/14_0/release_announce_deprecation_of_release_notes_api.yml +++ b/data/removals/14_0/release_announce_deprecation_of_release_notes_api.yml @@ -1,4 +1,4 @@ -- name: "Removal of release description in the Tags API" +- name: "Release description in the Tags API" reporter: kbychu removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/release_deprecation_auto-deploy-image.yml b/data/removals/14_0/release_deprecation_auto-deploy-image.yml index 97f102d80ac..d6cd9ac23ca 100644 --- a/data/removals/14_0/release_deprecation_auto-deploy-image.yml +++ b/data/removals/14_0/release_deprecation_auto-deploy-image.yml @@ -1,10 +1,10 @@ -- name: "Update Auto Deploy template version" +- name: "Auto Deploy CI template v1" reporter: kbychu removal_date: "2021-06-22" removal_milestone: "14.0" issue_url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/300862' breaking_change: true body: | - In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 will is deprecated going forward. + In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 is deprecated going forward. Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters). diff --git a/data/removals/14_0/release_domainsource_configuration_for_gitlab_pages_deprecation.yml b/data/removals/14_0/release_domainsource_configuration_for_gitlab_pages_deprecation.yml index 766373e6b81..bb10ab8a2ab 100644 --- a/data/removals/14_0/release_domainsource_configuration_for_gitlab_pages_deprecation.yml +++ b/data/removals/14_0/release_domainsource_configuration_for_gitlab_pages_deprecation.yml @@ -1,4 +1,4 @@ -- name: "Remove disk source configuration for GitLab Pages" +- name: "Disk source configuration for GitLab Pages" reporter: kbychu removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/release_legacy_feature_flags_deprecation.yml b/data/removals/14_0/release_legacy_feature_flags_deprecation.yml index 08813b98435..bf0075faa1e 100644 --- a/data/removals/14_0/release_legacy_feature_flags_deprecation.yml +++ b/data/removals/14_0/release_legacy_feature_flags_deprecation.yml @@ -1,4 +1,4 @@ -- name: "Legacy feature flags removed" +- name: "Legacy feature flags" reporter: kbychu removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/release_remove_redundant_keyvalue_pair_from_the_payload_of_dora.yml b/data/removals/14_0/release_remove_redundant_keyvalue_pair_from_the_payload_of_dora.yml index acd8bb34f77..47c58bcb143 100644 --- a/data/removals/14_0/release_remove_redundant_keyvalue_pair_from_the_payload_of_dora.yml +++ b/data/removals/14_0/release_remove_redundant_keyvalue_pair_from_the_payload_of_dora.yml @@ -1,4 +1,4 @@ -- name: "Remove redundant timestamp field from DORA metrics API payload" +- name: "Redundant timestamp field from DORA metrics API payload" reporter: kbychu removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/removal-geo-fdw-settings.yml b/data/removals/14_0/removal-geo-fdw-settings.yml index 4d950ae59bd..5997705bf30 100644 --- a/data/removals/14_0/removal-geo-fdw-settings.yml +++ b/data/removals/14_0/removal-geo-fdw-settings.yml @@ -1,4 +1,4 @@ -- name: "Geo Foreign Data Wrapper settings removed" +- name: "Geo Foreign Data Wrapper settings" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: fzimmer diff --git a/data/removals/14_0/removal-graphql-fields.yml b/data/removals/14_0/removal-graphql-fields.yml index 67d911b24bf..71d277bd6fc 100644 --- a/data/removals/14_0/removal-graphql-fields.yml +++ b/data/removals/14_0/removal-graphql-fields.yml @@ -1,4 +1,4 @@ -- name: "Deprecated GraphQL fields have been removed" +- name: "Deprecated GraphQL fields" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: gweaver diff --git a/data/removals/14_0/removal-legacy-storage.yml b/data/removals/14_0/removal-legacy-storage.yml index 5fabf8e268e..28b6ffeb0d1 100644 --- a/data/removals/14_0/removal-legacy-storage.yml +++ b/data/removals/14_0/removal-legacy-storage.yml @@ -1,4 +1,4 @@ -- name: "Legacy storage removed" +- name: "Legacy storage" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: fzimmer diff --git a/data/removals/14_0/removal-sidekiq_experimental_queue_selector.yml b/data/removals/14_0/removal-sidekiq_experimental_queue_selector.yml index 000646c050a..9995e5a2b55 100644 --- a/data/removals/14_0/removal-sidekiq_experimental_queue_selector.yml +++ b/data/removals/14_0/removal-sidekiq_experimental_queue_selector.yml @@ -1,4 +1,4 @@ -- name: Sidekiq queue selector options no longer accept the 'experimental' prefix +- name: Experimental prefix in Sidekiq queue selector options removal_date: "2021-06-22" removal_milestone: "14.0" reporter: smcgivern diff --git a/data/removals/14_0/removal-unicorn.yml b/data/removals/14_0/removal-unicorn.yml index 8b8574b65e8..d5062aa0eea 100644 --- a/data/removals/14_0/removal-unicorn.yml +++ b/data/removals/14_0/removal-unicorn.yml @@ -1,4 +1,4 @@ -- name: "Unicorn removed in favor of Puma for GitLab self-managed" +- name: "Unicorn in GitLab self-managed" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: fzimmer diff --git a/data/removals/14_0/removal_ci_project_config_path.yml b/data/removals/14_0/removal_ci_project_config_path.yml index ad40aa74bd6..64fe187c505 100644 --- a/data/removals/14_0/removal_ci_project_config_path.yml +++ b/data/removals/14_0/removal_ci_project_config_path.yml @@ -1,4 +1,4 @@ -- name: "`CI_PROJECT_CONFIG_PATH` variable has been removed" +- name: "`CI_PROJECT_CONFIG_PATH` variable" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: stkerr diff --git a/data/removals/14_0/removal_repost_static_analysis_notices.yml b/data/removals/14_0/removal_repost_static_analysis_notices.yml index 87611a1ae72..1a2ae93a902 100644 --- a/data/removals/14_0/removal_repost_static_analysis_notices.yml +++ b/data/removals/14_0/removal_repost_static_analysis_notices.yml @@ -8,7 +8,7 @@ Until GitLab 13.9, if you wanted to avoid running one particular GitLab SAST analyzer, you needed to remove it from the [long string of analyzers in the `SAST.gitlab-ci.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/390afc431e7ce1ac253b35beb39f19e49c746bff/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L12) and use that to set the [`SAST_DEFAULT_ANALYZERS`](https://docs.gitlab.com/ee/user/application_security/sast/#docker-images) variable in your project's CI file. If you did this, it would exclude you from future new analyzers because this string hard codes the list of analyzers to execute. We avoid this problem by inverting this variable's logic to exclude, rather than choose default analyzers. Beginning with 13.9, [we migrated](https://gitlab.com/gitlab-org/gitlab/-/blob/14fed7a33bfdbd4663d8928e46002a5ef3e3282c/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L13) to `SAST_EXCLUDED_ANALYZERS` in our `SAST.gitlab-ci.yml` file. We encourage anyone who uses a [customized SAST configuration](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) in their project CI file to migrate to this new variable. If you have not overridden `SAST_DEFAULT_ANALYZERS`, no action is needed. The CI/CD variable `SAST_DEFAULT_ANALYZERS` has been removed in GitLab 14.0, which released on June 22, 2021. -- name: "Remove `secret_detection_default_branch` job" +- name: "`secret_detection_default_branch` job" reporter: tmccaslin removal_date: "2021-06-22" removal_milestone: "14.0" @@ -18,8 +18,7 @@ To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc). If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job. -- name: "Remove SAST analyzer `SAST_GOSEC_CONFIG` variable in favor of - custom rulesets" +- name: "SAST analyzer `SAST_GOSEC_CONFIG` variable" reporter: tmccaslin removal_date: "2021-06-22" removal_milestone: "14.0" @@ -29,7 +28,7 @@ With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10. GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. -- name: "Removed Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template" +- name: "Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template" reporter: tmccaslin removal_date: "2021-06-22" removal_milestone: "14.0" diff --git a/data/removals/14_0/removal_runner_25555.yml b/data/removals/14_0/removal_runner_25555.yml index 0007aa59b03..706614618ce 100644 --- a/data/removals/14_0/removal_runner_25555.yml +++ b/data/removals/14_0/removal_runner_25555.yml @@ -1,4 +1,4 @@ -- name: "Remove off peak time mode configuration for Docker Machine autoscaling" +- name: "Off peak time mode configuration for Docker Machine autoscaling" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removal_runner_26036.yml b/data/removals/14_0/removal_runner_26036.yml index 13260812492..5f391909a2d 100644 --- a/data/removals/14_0/removal_runner_26036.yml +++ b/data/removals/14_0/removal_runner_26036.yml @@ -1,4 +1,4 @@ -- name: "Remove Ubuntu 19.10 (Eoan Ermine) package" +- name: "Ubuntu 19.10 (Eoan Ermine) package" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removal_runner_6413.yml b/data/removals/14_0/removal_runner_6413.yml index c990b262c87..514cb254d8d 100644 --- a/data/removals/14_0/removal_runner_6413.yml +++ b/data/removals/14_0/removal_runner_6413.yml @@ -1,4 +1,4 @@ -- name: "Remove `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag" +- name: "`FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_26651.yml b/data/removals/14_0/removals_runner_26651.yml index 19d3ac3bde6..8a35996c81a 100644 --- a/data/removals/14_0/removals_runner_26651.yml +++ b/data/removals/14_0/removals_runner_26651.yml @@ -1,4 +1,4 @@ -- name: "Remove `/usr/lib/gitlab-runner` symlink from package" +- name: "`/usr/lib/gitlab-runner` symlink from package" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_26679.yml b/data/removals/14_0/removals_runner_26679.yml index 9c8ea23e750..e99a551a293 100644 --- a/data/removals/14_0/removals_runner_26679.yml +++ b/data/removals/14_0/removals_runner_26679.yml @@ -1,4 +1,4 @@ -- name: "Remove `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag" +- name: "`FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_26900.yml b/data/removals/14_0/removals_runner_26900.yml index 4dc984be64a..addf11c86ad 100644 --- a/data/removals/14_0/removals_runner_26900.yml +++ b/data/removals/14_0/removals_runner_26900.yml @@ -1,4 +1,4 @@ -- name: "Remove success and failure for finished build metric conversion" +- name: "Success and failure for finished build metric conversion" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_27175.yml b/data/removals/14_0/removals_runner_27175.yml index 758ea7fdd57..a31c4e757e7 100644 --- a/data/removals/14_0/removals_runner_27175.yml +++ b/data/removals/14_0/removals_runner_27175.yml @@ -1,4 +1,4 @@ -- name: "Remove `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag" +- name: "`FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_27551.yml b/data/removals/14_0/removals_runner_27551.yml index a99b7eb0c73..43ecf3d72f6 100644 --- a/data/removals/14_0/removals_runner_27551.yml +++ b/data/removals/14_0/removals_runner_27551.yml @@ -1,4 +1,4 @@ -- name: "Remove support for Windows Server 1903 image" +- name: "Windows Server 1903 image support" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/removals_runner_27899.yml b/data/removals/14_0/removals_runner_27899.yml index d4b01298e6b..468e04dc677 100644 --- a/data/removals/14_0/removals_runner_27899.yml +++ b/data/removals/14_0/removals_runner_27899.yml @@ -1,4 +1,4 @@ -- name: "Remove support for Windows Server 1909 image" +- name: "Windows Server 1909 image support" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: deastman diff --git a/data/removals/14_0/remove-sql-elector.yml b/data/removals/14_0/remove-sql-elector.yml index c32a2d65728..6a306569d9f 100644 --- a/data/removals/14_0/remove-sql-elector.yml +++ b/data/removals/14_0/remove-sql-elector.yml @@ -1,4 +1,4 @@ -- name: "Gitaly Cluster SQL primary elector has been removed" +- name: "Gitaly Cluster SQL primary elector" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: mjwood diff --git a/data/removals/14_0/remove_dast_legacy_domain_validation.yml b/data/removals/14_0/remove_dast_legacy_domain_validation.yml index 665433a75f6..39acc3e7188 100644 --- a/data/removals/14_0/remove_dast_legacy_domain_validation.yml +++ b/data/removals/14_0/remove_dast_legacy_domain_validation.yml @@ -1,4 +1,4 @@ -- name: "Remove legacy DAST domain validation" +- name: "Legacy DAST domain validation" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: derekferguson diff --git a/data/removals/14_0/remove_dast_legacy_report_fields.yml b/data/removals/14_0/remove_dast_legacy_report_fields.yml index e5353abf7c5..e5fca1fa256 100644 --- a/data/removals/14_0/remove_dast_legacy_report_fields.yml +++ b/data/removals/14_0/remove_dast_legacy_report_fields.yml @@ -1,4 +1,4 @@ -- name: "Removal of legacy fields from DAST report" +- name: "Legacy fields from DAST report" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: derekferguson diff --git a/data/removals/14_0/remove_dast_template_stages.yml b/data/removals/14_0/remove_dast_template_stages.yml index bdbbac6f029..0995e09c3ed 100644 --- a/data/removals/14_0/remove_dast_template_stages.yml +++ b/data/removals/14_0/remove_dast_template_stages.yml @@ -1,4 +1,4 @@ -- name: "Remove DAST default template stages" +- name: "DAST default template stages" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: derekferguson diff --git a/data/removals/14_0/remove_optimize_api.yml b/data/removals/14_0/remove_optimize_api.yml index 1ab8e748f0c..a472e6a0d59 100644 --- a/data/removals/14_0/remove_optimize_api.yml +++ b/data/removals/14_0/remove_optimize_api.yml @@ -1,4 +1,4 @@ -- name: "Segments removed from DevOps Adoption API" +- name: "DevOps Adoption API Segments" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: ljlane diff --git a/data/removals/14_0/verify-ci-removal-parametertrace.yml b/data/removals/14_0/verify-ci-removal-parametertrace.yml index 4fd1fa3d459..67d52827485 100644 --- a/data/removals/14_0/verify-ci-removal-parametertrace.yml +++ b/data/removals/14_0/verify-ci-removal-parametertrace.yml @@ -1,4 +1,4 @@ -- name: "Removal of deprecated `trace` parameter from `jobs` API endpoint" +- name: "`trace` parameter in `jobs` API" removal_date: "2021-06-22" removal_milestone: "14.0" reporter: jreporter diff --git a/data/removals/templates/example.yml b/data/removals/templates/example.yml index 8a8a4ee2d3d..0904c6a6d7a 100644 --- a/data/removals/templates/example.yml +++ b/data/removals/templates/example.yml @@ -9,7 +9,7 @@ # # Please delete this line and above before submitting your merge request. -- name: "Announcement headline" # The headline announcing the removal. i.e. "`CI_PROJECT_CONFIG_PATH` removed in Gitlab 14.0" +- name: "Feature name" # the name of the feature being removed. Avoid the words `deprecation`, `deprecate`, `removal`, and `remove` in this field because these are implied. announcement_milestone: "XX.YY" # The milestone when this feature was deprecated. announcement_date: "YYYY-MM-DD" # The date of the milestone release when this feature was deprecated. This should almost always be the 22nd of a month (YYYY-MM-DD), unless you did an out of band blog post. removal_milestone: "XX.YY" # The milestone when this feature is being removed. diff --git a/db/migrate/20220128081329_add_target_access_levels_to_broadcast_messages.rb b/db/migrate/20220128081329_add_target_access_levels_to_broadcast_messages.rb new file mode 100644 index 00000000000..5958895ede8 --- /dev/null +++ b/db/migrate/20220128081329_add_target_access_levels_to_broadcast_messages.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AddTargetAccessLevelsToBroadcastMessages < Gitlab::Database::Migration[1.0] + def change + add_column :broadcast_messages, :target_access_levels, :integer, array: true, null: false, default: [] + end +end diff --git a/db/post_migrate/20220213104531_create_indexes_on_integration_type_new.rb b/db/post_migrate/20220213104531_create_indexes_on_integration_type_new.rb new file mode 100644 index 00000000000..3a9f48dec44 --- /dev/null +++ b/db/post_migrate/20220213104531_create_indexes_on_integration_type_new.rb @@ -0,0 +1,60 @@ +# frozen_string_literal: true + +# Reproduce the indices on integrations.type on integrations.type_new +class CreateIndexesOnIntegrationTypeNew < Gitlab::Database::Migration[1.0] + disable_ddl_transaction! + + TABLE_NAME = :integrations + COLUMN = :type_new + + def indices + [ + { + name: "index_integrations_on_project_and_#{COLUMN}_where_inherit_null", + columns: [:project_id, COLUMN], + where: 'inherit_from_id IS NULL' + }, + { + name: "index_integrations_on_project_id_and_#{COLUMN}_unique", + columns: [:project_id, COLUMN], + unique: true + }, + { + name: "index_integrations_on_#{COLUMN}", + columns: [COLUMN] + }, + { + name: "index_integrations_on_#{COLUMN}_and_instance_partial", + columns: [COLUMN, :instance], + where: 'instance = true' + }, + { + name: "index_integrations_on_#{COLUMN}_and_template_partial", + columns: [COLUMN, :template], + where: 'template = true' + }, + { + # column names are limited to 63 characters, so this one is re-worded for clarity + name: "index_integrations_on_#{COLUMN}_id_when_active_and_has_project", + columns: [COLUMN, :id], + where: '((active = true) AND (project_id IS NOT NULL))' + }, + { + name: "index_integrations_on_unique_group_id_and_#{COLUMN}", + columns: [:group_id, COLUMN] + } + ] + end + + def up + indices.each do |index| + add_concurrent_index TABLE_NAME, index[:columns], index.except(:columns) + end + end + + def down + indices.each do |index| + remove_concurrent_index_by_name TABLE_NAME, index[:name] + end + end +end diff --git a/db/schema_migrations/20220128081329 b/db/schema_migrations/20220128081329 new file mode 100644 index 00000000000..765b4c3a519 --- /dev/null +++ b/db/schema_migrations/20220128081329 @@ -0,0 +1 @@ +6e273d5b92595ae6054b0665b4ff446fb2bed24ff1aab122537833dc8f4d9ab8 \ No newline at end of file diff --git a/db/schema_migrations/20220213104531 b/db/schema_migrations/20220213104531 new file mode 100644 index 00000000000..72656d85fb0 --- /dev/null +++ b/db/schema_migrations/20220213104531 @@ -0,0 +1 @@ +9ce8aa469b9469d25fbba52147e24c95f6242c2ab1e114df8baaf5a45268d2fd \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 407ff9bc389..04cd900b364 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -11364,7 +11364,8 @@ CREATE TABLE broadcast_messages ( cached_markdown_version integer, target_path character varying(255), broadcast_type smallint DEFAULT 1 NOT NULL, - dismissable boolean + dismissable boolean, + target_access_levels integer[] DEFAULT '{}'::integer[] NOT NULL ); CREATE SEQUENCE broadcast_messages_id_seq @@ -26665,8 +26666,12 @@ CREATE INDEX index_insights_on_project_id ON insights USING btree (project_id); CREATE INDEX index_integrations_on_inherit_from_id ON integrations USING btree (inherit_from_id); +CREATE INDEX index_integrations_on_project_and_type_new_where_inherit_null ON integrations USING btree (project_id, type_new) WHERE (inherit_from_id IS NULL); + CREATE INDEX index_integrations_on_project_and_type_where_inherit_null ON integrations USING btree (project_id, type) WHERE (inherit_from_id IS NULL); +CREATE UNIQUE INDEX index_integrations_on_project_id_and_type_new_unique ON integrations USING btree (project_id, type_new); + CREATE UNIQUE INDEX index_integrations_on_project_id_and_type_unique ON integrations USING btree (project_id, type); CREATE INDEX index_integrations_on_template ON integrations USING btree (template); @@ -26679,8 +26684,18 @@ CREATE UNIQUE INDEX index_integrations_on_type_and_template_partial ON integrati CREATE INDEX index_integrations_on_type_id_when_active_and_project_id_not_nu ON integrations USING btree (type, id) WHERE ((active = true) AND (project_id IS NOT NULL)); +CREATE INDEX index_integrations_on_type_new ON integrations USING btree (type_new); + +CREATE INDEX index_integrations_on_type_new_and_instance_partial ON integrations USING btree (type_new, instance) WHERE (instance = true); + +CREATE INDEX index_integrations_on_type_new_and_template_partial ON integrations USING btree (type_new, template) WHERE (template = true); + +CREATE INDEX index_integrations_on_type_new_id_when_active_and_has_project ON integrations USING btree (type_new, id) WHERE ((active = true) AND (project_id IS NOT NULL)); + CREATE UNIQUE INDEX index_integrations_on_unique_group_id_and_type ON integrations USING btree (group_id, type); +CREATE INDEX index_integrations_on_unique_group_id_and_type_new ON integrations USING btree (group_id, type_new); + CREATE INDEX index_internal_ids_on_namespace_id ON internal_ids USING btree (namespace_id); CREATE INDEX index_internal_ids_on_project_id ON internal_ids USING btree (project_id); diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index e87838daf4c..10c0e55b947 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -727,6 +727,18 @@ The `merged_by` field in the [merge request API](https://docs.gitlab.com/ee/api/ ## 14.8 +### Changes to the `CI_JOB_JWT` + +WARNING: +This feature will be changed or removed in 15.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +The `CI_JOB_JWT` will be updated to support a wider variety of cloud providers. It will be changed to match [`CI_JOB_JWT_V2`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html), but this change may not be backwards compatible for all users, including Hashicorp Vault users. To maintain the current behavior, users can switch to using `CI_JOB_JWT_V1`, or update their configuration in GitLab 15.0 to use the improved `CI_JOB_JWT`. + +**Planned removal milestone: 15.0 ()** + ### Configurable Gitaly `per_repository` election strategy Configuring the `per_repository` Gitaly election strategy is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/352612). @@ -1247,6 +1259,32 @@ For further details, see [the deprecation issue for this change](https://gitlab. **Planned removal milestone: 15.0 (2022-05-22)** +### Secure and Protect analyzer images published in new location + +WARNING: +This feature will be changed or removed in 15.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +GitLab uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/terminology/#analyzer) to [scan for security vulnerabilities](https://docs.gitlab.com/ee/user/application_security/). +Each analyzer is distributed as a container image. + +Starting in GitLab 14.8, new versions of GitLab Secure and Protect analyzers are published to a new registry location under `registry.gitlab.com/security-products`. + +We will update the default value of [GitLab-managed CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security) to reflect this change: + +- For all analyzers except Container Scanning, we will update the variable `SECURE_ANALYZERS_PREFIX` to the new image registry location. +- For Container Scanning, the default image address is already updated. There is no `SECURE_ANALYZERS_PREFIX` variable for Container Scanning. + +In a future release, we will stop publishing images to `registry.gitlab.com/gitlab-org/security-products/analyzers`. +Once this happens, you must take action if you manually pull images and push them into a separate registry. This is commonly the case for [offline deployments](https://docs.gitlab.com/ee/user/application_security/offline_deployments/index.html). +Otherwise, you won't receive further updates. + +See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564) for more details. + +**Planned removal milestone: 15.0 (2022-05-22)** + ### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab WARNING: @@ -1305,6 +1343,18 @@ The new security approvals feature is similar to vulnerability check. For exampl **Planned removal milestone: 15.0 (2022-05-22)** +### `CI_BUILD_*` predefined variables + +WARNING: +This feature will be changed or removed in 15.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the current [`CI_JOB_*` predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are identical (except for the updated name). + +**Planned removal milestone: 15.0 (2022-05-22)** + ### `fixup!` commit messages setting draft status of associated Merge Request The use of `fixup!` as a commit message to trigger draft status diff --git a/doc/update/removals.md b/doc/update/removals.md index 15acc2c189d..9a28adf1f96 100644 --- a/doc/update/removals.md +++ b/doc/update/removals.md @@ -30,6 +30,18 @@ For removal reviewers (Technical Writers only): ## 14.0 +### Auto Deploy CI template v1 + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 is deprecated going forward. + +Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters). + ### Breaking changes to Terraform CI template WARNING: @@ -64,6 +76,16 @@ changes to your code, settings, or workflow. Clair, the default container scanning engine, was deprecated in GitLab 13.9 and is removed from GitLab 14.0 and replaced by Trivy. We advise customers who are customizing variables for their container scanning job to [follow these instructions](https://docs.gitlab.com/ee/user/application_security/container_scanning/#change-scanners) to ensure that their container scanning jobs continue to work. +### DAST default template stages + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In GitLab 14.0, we've removed the stages defined in the current `DAST.gitlab-ci.yml` template to avoid the situation where the template overrides manual changes made by DAST users. We're making this change in response to customer issues where the stages in the template cause problems when used with customized DAST configurations. Because of this removal, `gitlab-ci.yml` configurations that do not specify a `dast` stage must be updated to include this stage. + ### DAST environment variable renaming and removal WARNING: @@ -119,7 +141,21 @@ GitLab has already introduced changes that allow you to change the default branc For more information, check out our [blog post](https://about.gitlab.com/blog/2021/03/10/new-git-default-branch-name/). -### Deprecated GraphQL fields have been removed +### Dependency Scanning + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +As mentioned in [13.9](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#deprecations-for-dependency-scanning) and [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/) several removals for Dependency Scanning take effect. + +Previously, to exclude a DS analyzer, you needed to remove it from the default list of analyzers, and use that to set the `DS_DEFAULT_ANALYZERS` variable in your project’s CI template. We determined it should be easier to avoid running a particular analyzer without losing the benefit of newly added analyzers. As a result, we ask you to migrate from `DS_DEFAULT_ANALYZERS` to `DS_EXCLUDED_ANALYZERS` when it is available. Read about it in [issue #287691](https://gitlab.com/gitlab-org/gitlab/-/issues/287691). + +Previously, to prevent the Gemnasium analyzers to fetch the advisory database at runtime, you needed to set the `GEMNASIUM_DB_UPDATE` variable. However, this is not documented properly, and its naming is inconsistent with the equivalent `BUNDLER_AUDIT_UPDATE_DISABLED` variable. As a result, we ask you to migrate from `GEMNASIUM_DB_UPDATE` to `GEMNASIUM_UPDATE_DISABLED` when it is available. Read about it in [issue #215483](https://gitlab.com/gitlab-org/gitlab/-/issues/215483). + +### Deprecated GraphQL fields WARNING: This feature was changed or removed in 14.0 @@ -136,7 +172,7 @@ In accordance with our [GraphQL deprecation and removal process](https://docs.gi - `DeprecatedMutations (concern**)` - `AddAwardEmoji`, `RemoveAwardEmoji`, `ToggleAwardEmoji` - `EE::Types::DeprecatedMutations (concern***)` - `Mutations::Pipelines::RunDastScan`, `Mutations::Vulnerabilities::Dismiss`, `Mutations::Vulnerabilities::RevertToDetected` -### Deprecations for Dependency Scanning +### DevOps Adoption API Segments WARNING: This feature was changed or removed in 14.0 @@ -144,11 +180,29 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. -As mentioned in [13.9](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#deprecations-for-dependency-scanning) and [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/) several removals for Dependency Scanning take effect. +The first release of the DevOps Adoption report had a concept of **Segments**. Segments were [quickly removed from the report](https://gitlab.com/groups/gitlab-org/-/epics/5251) because they introduced an additional layer of complexity on top of **Groups** and **Projects**. Subsequent iterations of the DevOps Adoption report focus on comparing adoption across groups rather than segments. GitLab 14.0 removes all references to **Segments** [from the GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/324414) and replaces them with **Enabled groups**. -Previously, to exclude a DS analyzer, you needed to remove it from the default list of analyzers, and use that to set the `DS_DEFAULT_ANALYZERS` variable in your project’s CI template. We determined it should be easier to avoid running a particular analyzer without losing the benefit of newly added analyzers. As a result, we ask you to migrate from `DS_DEFAULT_ANALYZERS` to `DS_EXCLUDED_ANALYZERS` when it is available. Read about it in [issue #287691](https://gitlab.com/gitlab-org/gitlab/-/issues/287691). +### Disk source configuration for GitLab Pages -Previously, to prevent the Gemnasium analyzers to fetch the advisory database at runtime, you needed to set the `GEMNASIUM_DB_UPDATE` variable. However, this is not documented properly, and its naming is inconsistent with the equivalent `BUNDLER_AUDIT_UPDATE_DISABLED` variable. As a result, we ask you to migrate from `GEMNASIUM_DB_UPDATE` to `GEMNASIUM_UPDATE_DISABLED` when it is available. Read about it in [issue #215483](https://gitlab.com/gitlab-org/gitlab/-/issues/215483). +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +GitLab Pages [API-based configuration](https://docs.gitlab.com/ee/administration/pages/#gitlab-api-based-configuration) has been available since GitLab 13.0. It replaces the unsupported `disk` source configuration removed in GitLab 14.0, which can no longer be chosen. You should stop using `disk` source configuration, and move to `gitlab` for an API-based configuration. To migrate away from the 'disk' source configuration, set `gitlab_pages['domain_config_source'] = "gitlab"` in your `/etc/gitlab/gitlab.rb` file. We recommend you migrate before updating to GitLab 14.0, to identify and troubleshoot any potential problems before upgrading. + +### Experimental prefix in Sidekiq queue selector options + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +GitLab supports a [queue selector](https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html#queue-selector) to run only a subset of background jobs for a given process. When it was introduced, this option had an 'experimental' prefix (`experimental_queue_selector` in Omnibus, `experimentalQueueSelector` in Helm charts). + +As announced in the [13.6 release post](https://about.gitlab.com/releases/2020/11/22/gitlab-13-6-released/#sidekiq-cluster-queue-selector-configuration-option-has-been-renamed), the 'experimental' prefix is no longer supported. Instead, `queue_selector` for Omnibus and `queueSelector` in Helm charts should be used. ### External Pipeline Validation Service Code Changes @@ -160,7 +214,7 @@ changes to your code, settings, or workflow. For self-managed instances using the experimental [external pipeline validation service](https://docs.gitlab.com/ee/administration/external_pipeline_validation.html), the range of error codes GitLab accepts will be reduced. Currently, pipelines are invalidated when the validation service returns a response code from `400` to `499`. In GitLab 14.0 and later, pipelines will be invalidated for the `406: Not Accepted` response code only. -### Geo Foreign Data Wrapper settings removed +### Geo Foreign Data Wrapper settings WARNING: This feature was changed or removed in 14.0 @@ -207,7 +261,7 @@ changes to your code, settings, or workflow. In GitLab Runner 14.0, the installation process will ignore the `skel` directory by default when creating the user home directory. Refer to [issue #4845](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4845) for details. -### Gitaly Cluster SQL primary elector has been removed +### Gitaly Cluster SQL primary elector WARNING: This feature was changed or removed in 14.0 @@ -220,6 +274,30 @@ The `per_repository` election strategy is the new default, which is automaticall If you had configured the `sql` election strategy, you must follow the [migration instructions](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#migrate-to-repository-specific-primary-gitaly-nodes) before upgrading to 14.0. +### Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +With the maturity of GitLab Secure scanning tools, we've needed to add more granularity to our release process. Previously, GitLab shared a major version number for [all analyzers and tools](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). This requires all tools to share a major version, and prevents the use of [semantic version numbering](https://semver.org/). In GitLab 14.0, SAST removes the `SAST_ANALYZER_IMAGE_TAG` global variable in our [managed `SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) CI template, in favor of the analyzer job variable setting the `major.minor` tag in the SAST vendored template. + +Each analyzer job now has a scoped `SAST_ANALYZER_IMAGE_TAG` variable, which will be actively managed by GitLab and set to the `major` tag for the respective analyzer. To pin to a specific version, [change the variable value to the specific version tag](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version). +If you override or maintain custom versions of `SAST.gitlab-ci.yml`, update your CI templates to stop referencing the global `SAST_ANALYZER_IMAGE_TAG`, and move it to a scoped analyzer job tag. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. This change allows you to more granularly control future analyzer updates with a pinned `major.minor` version. +This deprecation and removal changes our [previously announced plan](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#pin-static-analysis-analyzers-and-tools-to-minor-versions) to pin the Static Analysis tools. + +### Hardcoded `master` in CI/CD templates + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +Our CI/CD templates have been updated to no longer use hard-coded references to a `master` branch. In 14.0, they all use a variable that points to your project's configured default branch instead. If your CI/CD pipeline relies on our built-in templates, verify that this change works with your current configuration. For example, if you have a `master` branch and a different default branch, the updates to the templates may cause changes to your pipeline behavior. For more information, [read the issue](https://gitlab.com/gitlab-org/gitlab/-/issues/324131). + ### Helm v2 support WARNING: @@ -232,7 +310,19 @@ Helm v2 was [officially deprecated](https://helm.sh/blog/helm-v2-deprecation-tim Users of the chart should [upgrade to Helm v3](https://helm.sh/docs/topics/v2_v3_migration/) to deploy GitLab 14.0 and later. -### Legacy feature flags removed +### Legacy DAST domain validation + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +The legacy method of DAST Domain Validation for CI/CD scans was deprecated in GitLab 13.8, and is removed in GitLab 14.0. This method of domain validation only disallows scans if the `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` environment variable is set to `true` in the `gitlab-ci.yml` file, and a `Gitlab-DAST-Permission` header on the site is not set to `allow`. This two-step method required users to opt in to using the variable before they could opt out from using the header. + +For more information, see the [removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/293595). + +### Legacy feature flags WARNING: This feature was changed or removed in 14.0 @@ -242,7 +332,19 @@ changes to your code, settings, or workflow. Legacy feature flags became read-only in GitLab 13.4. GitLab 14.0 removes support for legacy feature flags, so you must migrate them to the [new version](https://docs.gitlab.com/ee/operations/feature_flags.html). You can do this by first taking a note (screenshot) of the legacy flag, then deleting the flag through the API or UI (you don't need to alter the code), and finally create a new Feature Flag with the same name as the legacy flag you deleted. Also, make sure the strategies and environments match the deleted flag. We created a [video tutorial](https://www.youtube.com/watch?v=CAJY2IGep7Y) to help with this migration. -### Legacy storage removed +### Legacy fields from DAST report + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +As a part of the migration to a common report format for all of the Secure scanners in GitLab, DAST is making changes to the DAST JSON report. Certain legacy fields were deprecated in 13.8 and have been completely removed in 14.0. These fields are `@generated`, `@version`, `site`, and `spider`. This should not affect any normal DAST operation, but does affect users who consume the JSON report in an automated way and use these fields. Anyone affected by these changes, and needs these fields for business reasons, is encouraged to open a new GitLab issue and explain the need. + +For more information, see [the removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/33915). + +### Legacy storage WARNING: This feature was changed or removed in 14.0 @@ -252,6 +354,16 @@ changes to your code, settings, or workflow. As [announced in GitLab 13.0](https://about.gitlab.com/releases/2020/05/22/gitlab-13-0-released/#planned-removal-of-legacy-storage-in-14.0), [legacy storage](https://docs.gitlab.com/ee/administration/repository_storage_types.html#legacy-storage) has been removed in GitLab 14.0. +### License Compliance + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In 13.0, we deprecated the License-Management CI template and renamed it License-Scanning. We have been providing backward compatibility by warning users of the old template to switch. Now in 14.0, we are completely removing the License-Management CI template. Read about it in [issue #216261](https://gitlab.com/gitlab-org/gitlab/-/issues/216261) or [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/). + ### Limit projects returned in `GET /groups/:id/` WARNING: @@ -283,7 +395,7 @@ changes to your code, settings, or workflow. Until GitLab 13.9, if you wanted to avoid running one particular GitLab SAST analyzer, you needed to remove it from the [long string of analyzers in the `SAST.gitlab-ci.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/390afc431e7ce1ac253b35beb39f19e49c746bff/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L12) and use that to set the [`SAST_DEFAULT_ANALYZERS`](https://docs.gitlab.com/ee/user/application_security/sast/#docker-images) variable in your project's CI file. If you did this, it would exclude you from future new analyzers because this string hard codes the list of analyzers to execute. We avoid this problem by inverting this variable's logic to exclude, rather than choose default analyzers. Beginning with 13.9, [we migrated](https://gitlab.com/gitlab-org/gitlab/-/blob/14fed7a33bfdbd4663d8928e46002a5ef3e3282c/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L13) to `SAST_EXCLUDED_ANALYZERS` in our `SAST.gitlab-ci.yml` file. We encourage anyone who uses a [customized SAST configuration](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) in their project CI file to migrate to this new variable. If you have not overridden `SAST_DEFAULT_ANALYZERS`, no action is needed. The CI/CD variable `SAST_DEFAULT_ANALYZERS` has been removed in GitLab 14.0, which released on June 22, 2021. -### New Terraform template version +### Off peak time mode configuration for Docker Machine autoscaling WARNING: This feature was changed or removed in 14.0 @@ -291,18 +403,7 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. -As we continuously [develop GitLab's Terraform integrations](https://gitlab.com/gitlab-org/gitlab/-/issues/325312), to minimize customer disruption, we maintain two GitLab CI/CD templates for Terraform: - -- The ["latest version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml), which is updated frequently between minor releases of GitLab (such as 13.10, 13.11, etc). -- The ["major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml), which is updated only at major releases (such as 13.0, 14.0, etc). - -At every major release of GitLab, the "latest version" template becomes the "major version" template, inheriting the "latest template" setup. -As we have added many new features to the Terraform integration, the new setup for the "major version" template can be considered a breaking change. - -The latest template supports the [Terraform Merge Request widget](https://docs.gitlab.com/ee/user/infrastructure/mr_integration.html) and -doesn't need additional setup to work with the [GitLab managed Terraform state](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html). - -To check the new changes, see the [new "major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml). +In GitLab Runner 13.0, [issue #5069](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/5069), we introduced new timing options for the GitLab Docker Machine executor. In GitLab Runner 14.0, we have removed the old configuration option, [off peak time mode](https://docs.gitlab.com/runner/configuration/autoscale.html#off-peak-time-mode-configuration-deprecated). ### OpenSUSE Leap 15.1 @@ -326,173 +427,7 @@ PostgreSQL 12 will be the minimum required version in GitLab 14.0. It offers [si Starting in GitLab 13.7, all new installations default to version 12. From GitLab 13.8, single-node instances are automatically upgraded as well. If you aren't ready to upgrade, you can [opt out of automatic upgrades](https://docs.gitlab.com/omnibus/settings/database.html#opt-out-of-automatic-postgresql-upgrades). -### Removal of deprecated `trace` parameter from `jobs` API endpoint - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -GitLab Runner was updated in GitLab 13.4 to internally stop passing the `trace` parameter to the `/api/jobs/:id` endpoint. GitLab 14.0 deprecates the `trace` parameter entirely for all other requests of this endpoint. Make sure your [GitLab Runner version matches your GitLab version](https://docs.gitlab.com/runner/#gitlab-runner-versions) to ensure consistent behavior. - -### Removal of legacy fields from DAST report - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -As a part of the migration to a common report format for all of the Secure scanners in GitLab, DAST is making changes to the DAST JSON report. Certain legacy fields were deprecated in 13.8 and have been completely removed in 14.0. These fields are `@generated`, `@version`, `site`, and `spider`. This should not affect any normal DAST operation, but does affect users who consume the JSON report in an automated way and use these fields. Anyone affected by these changes, and needs these fields for business reasons, is encouraged to open a new GitLab issue and explain the need. - -For more information, see [the removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/33915). - -### Removal of release description in the Tags API - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -GitLab 14.0 removes support for the release description in the Tags API. You can no longer add a release description when [creating a new tag](https://docs.gitlab.com/ee/api/tags.html#create-a-new-tag). You also can no longer [create](https://docs.gitlab.com/ee/api/tags.html#create-a-new-release) or [update](https://docs.gitlab.com/ee/api/tags.html#update-a-release) a release through the Tags API. Please migrate to use the [Releases API](https://docs.gitlab.com/ee/api/releases/#create-a-release) instead. - -### Removals for License Compliance - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In 13.0, we deprecated the License-Management CI template and renamed it License-Scanning. We have been providing backward compatibility by warning users of the old template to switch. Now in 14.0, we are completely removing the License-Management CI template. Read about it in [issue #216261](https://gitlab.com/gitlab-org/gitlab/-/issues/216261) or [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/). - -### Remove DAST default template stages - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In GitLab 14.0, we've removed the stages defined in the current `DAST.gitlab-ci.yml` template to avoid the situation where the template overrides manual changes made by DAST users. We're making this change in response to customer issues where the stages in the template cause problems when used with customized DAST configurations. Because of this removal, `gitlab-ci.yml` configurations that do not specify a `dast` stage must be updated to include this stage. - -### Remove SAST analyzer `SAST_GOSEC_CONFIG` variable in favor of custom rulesets - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10. -GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. - -### Remove Ubuntu 19.10 (Eoan Ermine) package - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -Ubuntu 19.10 (Eoan Ermine) reached end of life on Friday, July 17, 2020. In GitLab Runner 14.0, Ubuntu 19.10 (Eoan Ermine) is no longer available from our package distribution. Refer to [issue #26036](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26036) for details. - -### Remove `/usr/lib/gitlab-runner` symlink from package - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In GitLab Runner 13.3, a symlink was added from `/user/lib/gitlab-runner/gitlab-runner` to `/usr/bin/gitlab-runner`. In 14.0, the symlink has been removed and the runner is now installed in `/usr/bin/gitlab-runner`. Refer to [issue #26651](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26651) for details. - -### Remove `?w=1` URL parameter to ignore whitespace changes - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -To create a consistent experience for users based on their preferences, support for toggling whitespace changes via URL parameter has been removed in GitLab 14.0. - -### Remove `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In 14.0, we have deactivated the `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag. Refer to issue [#26679](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26679) for details. - -### Remove `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In [GitLab Runner 13.1](https://docs.gitlab.com/runner/executors/shell.html#gitlab-131-and-later), [issue #3376](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3376), we introduced `sigterm` and then `sigkill` to a process in the Shell executor. We also introduced a new feature flag, `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL`, so you can use the previous process termination sequence. In GitLab Runner 14.0, [issue #6413](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6413), the feature flag has been removed. - -### Remove `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -GitLab Runner 14.0 removes the `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag. Refer to [issue #27175](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27175) for details. - -### Remove `secret_detection_default_branch` job - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc). -If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job. - -### Remove disk source configuration for GitLab Pages - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -GitLab Pages [API-based configuration](https://docs.gitlab.com/ee/administration/pages/#gitlab-api-based-configuration) has been available since GitLab 13.0. It replaces the unsupported `disk` source configuration removed in GitLab 14.0, which can no longer be chosen. You should stop using `disk` source configuration, and move to `gitlab` for an API-based configuration. To migrate away from the 'disk' source configuration, set `gitlab_pages['domain_config_source'] = "gitlab"` in your `/etc/gitlab/gitlab.rb` file. We recommend you migrate before updating to GitLab 14.0, to identify and troubleshoot any potential problems before upgrading. - -### Remove legacy DAST domain validation - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -The legacy method of DAST Domain Validation for CI/CD scans was deprecated in GitLab 13.8, and is removed in GitLab 14.0. This method of domain validation only disallows scans if the `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` environment variable is set to `true` in the `gitlab-ci.yml` file, and a `Gitlab-DAST-Permission` header on the site is not set to `allow`. This two-step method required users to opt in to using the variable before they could opt out from using the header. - -For more information, see the [removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/293595). - -### Remove off peak time mode configuration for Docker Machine autoscaling - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In GitLab Runner 13.0, [issue #5069](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/5069), we introduced new timing options for the GitLab Docker Machine executor. In GitLab Runner 14.0, we have removed the old configuration option, [off peak time mode](https://docs.gitlab.com/runner/configuration/autoscale.html#off-peak-time-mode-configuration-deprecated). - -### Remove redundant timestamp field from DORA metrics API payload +### Redundant timestamp field from DORA metrics API payload WARNING: This feature was changed or removed in 14.0 @@ -502,7 +437,7 @@ changes to your code, settings, or workflow. The [deployment frequency project-level API](https://docs.gitlab.com/ee/api/dora4_project_analytics.html#list-project-deployment-frequencies) endpoint has been deprecated in favor of the [DORA 4 API](https://docs.gitlab.com/ee/api/dora/metrics.html), which consolidates all the metrics under one API with the specific metric as a required field. As a result, the timestamp field, which doesn't allow adding future extensions and causes performance issues, will be removed. With the old API, an example response would be `{ "2021-03-01": 3, "date": "2021-03-01", "value": 3 }`. The first key/value (`"2021-03-01": 3`) will be removed and replaced by the last two (`"date": "2021-03-01", "value": 3`). -### Remove success and failure for finished build metric conversion +### Release description in the Tags API WARNING: This feature was changed or removed in 14.0 @@ -510,41 +445,7 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. -In GitLab Runner 13.5, we introduced `failed` and `success` states for a job. To support Prometheus rules, we chose to convert `success/failure` to `finished` for the metric. In 14.0, the conversion has now been removed. Refer to [issue #26900](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26900) for details. - -### Remove support for Windows Server 1903 image - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In 14.0, we have removed Windows Server 1903. Microsoft ended support for this version on 2020-08-12. Refer to [issue #27551](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27551) for details. - -### Remove support for Windows Server 1909 image - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In 14.0, we have removed Windows Server 1909. Microsoft ended support for this version on 2021-05-11. Refer to [issue #27899](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27899) for details. - -### Removed Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -With the maturity of GitLab Secure scanning tools, we've needed to add more granularity to our release process. Previously, GitLab shared a major version number for [all analyzers and tools](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). This requires all tools to share a major version, and prevents the use of [semantic version numbering](https://semver.org/). In GitLab 14.0, SAST removes the `SAST_ANALYZER_IMAGE_TAG` global variable in our [managed `SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) CI template, in favor of the analyzer job variable setting the `major.minor` tag in the SAST vendored template. - -Each analyzer job now has a scoped `SAST_ANALYZER_IMAGE_TAG` variable, which will be actively managed by GitLab and set to the `major` tag for the respective analyzer. To pin to a specific version, [change the variable value to the specific version tag](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version). -If you override or maintain custom versions of `SAST.gitlab-ci.yml`, update your CI templates to stop referencing the global `SAST_ANALYZER_IMAGE_TAG`, and move it to a scoped analyzer job tag. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. This change allows you to more granularly control future analyzer updates with a pinned `major.minor` version. -This deprecation and removal changes our [previously announced plan](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#pin-static-analysis-analyzers-and-tools-to-minor-versions) to pin the Static Analysis tools. +GitLab 14.0 removes support for the release description in the Tags API. You can no longer add a release description when [creating a new tag](https://docs.gitlab.com/ee/api/tags.html#create-a-new-tag). You also can no longer [create](https://docs.gitlab.com/ee/api/tags.html#create-a-new-release) or [update](https://docs.gitlab.com/ee/api/tags.html#update-a-release) a release through the Tags API. Please migrate to use the [Releases API](https://docs.gitlab.com/ee/api/releases/#create-a-release) instead. ### Ruby version changed in `Ruby.gitlab-ci.yml` @@ -560,7 +461,7 @@ To better support the latest versions of Ruby, the template is changed to use `r Relevant Issue: [Updates Ruby version 2.5 to 3.0](https://gitlab.com/gitlab-org/gitlab/-/issues/329160) -### Segments removed from DevOps Adoption API +### SAST analyzer `SAST_GOSEC_CONFIG` variable WARNING: This feature was changed or removed in 14.0 @@ -568,9 +469,10 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. -The first release of the DevOps Adoption report had a concept of **Segments**. Segments were [quickly removed from the report](https://gitlab.com/groups/gitlab-org/-/epics/5251) because they introduced an additional layer of complexity on top of **Groups** and **Projects**. Subsequent iterations of the DevOps Adoption report focus on comparing adoption across groups rather than segments. GitLab 14.0 removes all references to **Segments** [from the GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/324414) and replaces them with **Enabled groups**. +With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10. +GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. -### Service Templates removed +### Service Templates WARNING: This feature was changed or removed in 14.0 @@ -582,7 +484,7 @@ Service Templates are [removed in GitLab 14.0](https://gitlab.com/groups/gitlab- While they solved part of the problem, _updating_ those values later proved to be a major pain point. [Project Integration Management](https://docs.gitlab.com/ee/user/admin_area/settings/project_integration_management.html) solves this problem by enabling you to create settings at the Group or Instance level, and projects within that namespace inheriting those settings. -### Sidekiq queue selector options no longer accept the 'experimental' prefix +### Success and failure for finished build metric conversion WARNING: This feature was changed or removed in 14.0 @@ -590,9 +492,28 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. -GitLab supports a [queue selector](https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html#queue-selector) to run only a subset of background jobs for a given process. When it was introduced, this option had an 'experimental' prefix (`experimental_queue_selector` in Omnibus, `experimentalQueueSelector` in Helm charts). +In GitLab Runner 13.5, we introduced `failed` and `success` states for a job. To support Prometheus rules, we chose to convert `success/failure` to `finished` for the metric. In 14.0, the conversion has now been removed. Refer to [issue #26900](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26900) for details. -As announced in the [13.6 release post](https://about.gitlab.com/releases/2020/11/22/gitlab-13-6-released/#sidekiq-cluster-queue-selector-configuration-option-has-been-renamed), the 'experimental' prefix is no longer supported. Instead, `queue_selector` for Omnibus and `queueSelector` in Helm charts should be used. +### Terraform template version + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +As we continuously [develop GitLab's Terraform integrations](https://gitlab.com/gitlab-org/gitlab/-/issues/325312), to minimize customer disruption, we maintain two GitLab CI/CD templates for Terraform: + +- The ["latest version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml), which is updated frequently between minor releases of GitLab (such as 13.10, 13.11, etc). +- The ["major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml), which is updated only at major releases (such as 13.0, 14.0, etc). + +At every major release of GitLab, the "latest version" template becomes the "major version" template, inheriting the "latest template" setup. +As we have added many new features to the Terraform integration, the new setup for the "major version" template can be considered a breaking change. + +The latest template supports the [Terraform Merge Request widget](https://docs.gitlab.com/ee/user/infrastructure/mr_integration.html) and +doesn't need additional setup to work with the [GitLab managed Terraform state](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html). + +To check the new changes, see the [new "major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml). ### Ubuntu 16.04 support @@ -606,7 +527,17 @@ Ubuntu 16.04 [reached end-of-life in April 2021](https://ubuntu.com/about/releas GitLab 13.12 will be the last release with Ubuntu 16.04 support. -### Unicorn removed in favor of Puma for GitLab self-managed +### Ubuntu 19.10 (Eoan Ermine) package + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +Ubuntu 19.10 (Eoan Ermine) reached end of life on Friday, July 17, 2020. In GitLab Runner 14.0, Ubuntu 19.10 (Eoan Ermine) is no longer available from our package distribution. Refer to [issue #26036](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26036) for details. + +### Unicorn in GitLab self-managed WARNING: This feature was changed or removed in 14.0 @@ -616,28 +547,6 @@ changes to your code, settings, or workflow. [Support for Unicorn](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6078) has been removed in GitLab 14.0 in favor of Puma. [Puma has a multi-threaded architecture](https://docs.gitlab.com/ee/administration/operations/puma.html) which uses less memory than a multi-process application server like Unicorn. On GitLab.com, we saw a 40% reduction in memory consumption by using Puma. -### Update Auto Deploy template version - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 will is deprecated going forward. - -Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters). - -### Update CI/CD templates to stop using hardcoded `master` - -WARNING: -This feature was changed or removed in 14.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -Our CI/CD templates have been updated to no longer use hard-coded references to a `master` branch. In 14.0, they all use a variable that points to your project's configured default branch instead. If your CI/CD pipeline relies on our built-in templates, verify that this change works with your current configuration. For example, if you have a `master` branch and a different default branch, the updates to the templates may cause changes to your pipeline behavior. For more information, [read the issue](https://gitlab.com/gitlab-org/gitlab/-/issues/324131). - ### WIP merge requests renamed 'draft merge requests' WARNING: @@ -658,7 +567,47 @@ changes to your code, settings, or workflow. The Web Application Firewall (WAF) was deprecated in GitLab 13.6 and is removed from GitLab 14.0. The WAF had limitations inherent in the architectural design that made it difficult to meet the requirements traditionally expected of a WAF. By removing the WAF, GitLab is able to focus on improving other areas in the product where more value can be provided to users. Users who currently rely on the WAF can continue to use the free and open source [ModSecurity](https://github.com/SpiderLabs/ModSecurity) project, which is independent from GitLab. Additional details are available in the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/271276). -### `CI_PROJECT_CONFIG_PATH` variable has been removed +### Windows Server 1903 image support + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In 14.0, we have removed Windows Server 1903. Microsoft ended support for this version on 2020-08-12. Refer to [issue #27551](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27551) for details. + +### Windows Server 1909 image support + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In 14.0, we have removed Windows Server 1909. Microsoft ended support for this version on 2021-05-11. Refer to [issue #27899](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27899) for details. + +### `/usr/lib/gitlab-runner` symlink from package + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In GitLab Runner 13.3, a symlink was added from `/user/lib/gitlab-runner/gitlab-runner` to `/usr/bin/gitlab-runner`. In 14.0, the symlink has been removed and the runner is now installed in `/usr/bin/gitlab-runner`. Refer to [issue #26651](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26651) for details. + +### `?w=1` URL parameter to ignore whitespace changes + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +To create a consistent experience for users based on their preferences, support for toggling whitespace changes via URL parameter has been removed in GitLab 14.0. + +### `CI_PROJECT_CONFIG_PATH` variable WARNING: This feature was changed or removed in 14.0 @@ -672,6 +621,57 @@ has been removed in favor of `CI_CONFIG_PATH`, which is functionally the same. If you are using `CI_PROJECT_CONFIG_PATH` in your pipeline configurations, please update them to use `CI_CONFIG_PATH` instead. +### `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In 14.0, we have deactivated the `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag. Refer to issue [#26679](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26679) for details. + +### `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +In [GitLab Runner 13.1](https://docs.gitlab.com/runner/executors/shell.html#gitlab-131-and-later), [issue #3376](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3376), we introduced `sigterm` and then `sigkill` to a process in the Shell executor. We also introduced a new feature flag, `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL`, so you can use the previous process termination sequence. In GitLab Runner 14.0, [issue #6413](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6413), the feature flag has been removed. + +### `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +GitLab Runner 14.0 removes the `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag. Refer to [issue #27175](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27175) for details. + +### `secret_detection_default_branch` job + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc). +If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job. + +### `trace` parameter in `jobs` API + +WARNING: +This feature was changed or removed in 14.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +GitLab Runner was updated in GitLab 13.4 to internally stop passing the `trace` parameter to the `/api/jobs/:id` endpoint. GitLab 14.0 deprecates the `trace` parameter entirely for all other requests of this endpoint. Make sure your [GitLab Runner version matches your GitLab version](https://docs.gitlab.com/runner/#gitlab-runner-versions) to ensure consistent behavior. + ## 14.1 ### Remove support for `prometheus.listen_address` and `prometheus.enable` diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 5125cb42d1c..08a8c46cc72 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -514,7 +514,7 @@ registry.gitlab.com/security-products/container-scanning/trivy:4 The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved process by which you can import or temporarily access external resources. These scanners -are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance), +are [periodically updated](../index.md#vulnerability-scanner-maintenance), and you may be able to make occasional updates on your own. For more information, see [the specific steps on how to update an image with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline). @@ -738,7 +738,7 @@ scanner includes data from multiple sources: - [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/data-source/). Database update information for other analyzers is available in the -[maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance). +[maintenance table](../index.md#vulnerability-scanner-maintenance). ## Interacting with the vulnerabilities diff --git a/doc/user/application_security/dast/run_dast_offline.md b/doc/user/application_security/dast/run_dast_offline.md index 86621d73524..63163167a6c 100644 --- a/doc/user/application_security/dast/run_dast_offline.md +++ b/doc/user/application_security/dast/run_dast_offline.md @@ -36,7 +36,7 @@ For DAST, import the following default DAST analyzer image from `registry.gitlab The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved process by which external resources can be imported or temporarily accessed. -These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance) +These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance) with new definitions, and you may be able to make occasional updates on your own. For details on saving and transporting Docker images as a file, see Docker's documentation on diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index c20c4ce5a18..7ffb3181632 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -645,7 +645,7 @@ vulnerabilities in your groups, projects and pipelines. Read more about the ## Vulnerabilities database update For more information about the vulnerabilities database update, see the -[maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance). +[maintenance table](../index.md#vulnerability-scanner-maintenance). ## Dependency List @@ -821,7 +821,7 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2 The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved process by which external resources can be imported or temporarily accessed. -These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance) +These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance) with new definitions, and you may be able to make occasional updates on your own. For details on saving and transporting Docker images as a file, see Docker's documentation on diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index a80c8dff345..6a0b81335fd 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -2,7 +2,6 @@ stage: Secure group: Static Analysis info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments -type: reference, howto --- # Secure your application **(ULTIMATE)** @@ -46,6 +45,25 @@ GitLab uses the following tools to scan and report known vulnerabilities found i | [Coverage fuzzing](coverage_fuzzing/index.md) | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | | [Cluster Image Scanning](cluster_image_scanning/index.md) | Scan Kubernetes clusters for known vulnerabilities. | +## Vulnerability scanner maintenance + +The following vulnerability scanners and their databases are regularly updated: + +| Secure scanning tool | Vulnerabilities database updates | +|:----------------------------------------------------------------|:---------------------------------| +| [Container Scanning](container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. For more details, see [Vulnerabilities database update](container_scanning/index.md#vulnerabilities-database-update). | +| [Dependency Scanning](dependency_scanning/index.md) | Relies on `bundler-audit` (for Ruby gems), `retire.js` (for npm packages), and `gemnasium` (the GitLab tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Security Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). | +| [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L1). The scanning rules are downloaded at scan runtime. | +| [Static Application Security Testing (SAST)](sast/index.md) | Relies exclusively on [the tools GitLab wraps](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. | + +In versions of GitLab that use the same major version of the analyzer, you do not have to update +GitLab to benefit from the latest vulnerabilities definitions. The security tools are released as +Docker images. The vendored job definitions that enable them use major release tags according to +[semantic versioning](https://semver.org/). Each new release of the tools overrides these tags. +Although in a major analyzer version you automatically get the latest versions of the scanning +tools, there are some [known issues](https://gitlab.com/gitlab-org/gitlab/-/issues/9725) with this +approach. + ## Security scanning with Auto DevOps To enable all GitLab Security scanning tools, with default settings, enable @@ -149,8 +167,8 @@ The artifact generated by the secure analyzer contains all findings it discovers ### All tiers Merge requests which have run security scans let you know that the generated -reports are available to download. To download a report, click on the -**Download results** dropdown, and select the desired report. +reports are available to download. To download a report, select +**Download results**, and select the desired report. ![Security widget](img/security_widget_v13_7.png) @@ -210,7 +228,7 @@ Vulnerability-Check rule. While this rule is enabled, additional merge request a [eligible approvers](../project/merge_requests/approvals/rules.md#eligible-approvers) is required when the latest security report in a merge request: -- Contains vulnerabilities with states (for example, `previously detected`, `dismissed`) matching the rule's vulnerability states. Only `newly detected` will be considered if the target branch differs from the project default branch. +- Contains vulnerabilities with states (for example, `previously detected`, `dismissed`) matching the rule's vulnerability states. Only `newly detected` are considered if the target branch differs from the project default branch. - Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`) matching the rule's severity levels. - Contains a vulnerability count higher than the rule allows. diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 304e9b752ba..3c0a2caf114 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -936,7 +936,7 @@ registry.gitlab.com/security-products/sast/spotbugs:2 The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved -process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance) +process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance) with new definitions, and you may be able to make occasional updates on your own. For details on saving and transporting Docker images as a file, see Docker's documentation on diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index af41a164faf..2ce2d59898f 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -368,7 +368,7 @@ registry.gitlab.com/security-products/secret-detection:3 The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved -process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance) +process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance) with new definitions, and you may be able to make occasional updates on your own. For details on saving and transporting Docker images as a file, see Docker's documentation on diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md index 19948168f77..7b39002bac3 100644 --- a/doc/user/application_security/vulnerabilities/index.md +++ b/doc/user/application_security/vulnerabilities/index.md @@ -1,5 +1,4 @@ --- -type: reference, howto stage: Secure group: Threat Insights info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments @@ -160,23 +159,3 @@ To manually apply the patch that GitLab generated for a vulnerability: 1. Ensure your local project has the same commit checked out that was used to generate the patch. 1. Run `git apply remediation.patch`. 1. Verify and commit the changes to your branch. - -## Vulnerability scanner maintenance - -The following vulnerability scanners and their databases are regularly updated: - -| Secure scanning tool | Vulnerabilities database updates | -|:----------------------------------------------------------------|----------------------------------| -| [Container Scanning](../container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. For more details, see [Vulnerabilities database update](../container_scanning/index.md#vulnerabilities-database-update). | -| [Dependency Scanning](../dependency_scanning/index.md) | Relies on `bundler-audit` (for Ruby gems), `retire.js` (for npm packages), and `gemnasium` (the GitLab tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Security Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). | -| [Dynamic Application Security Testing (DAST)](../dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L1). The scanning rules are downloaded at scan runtime. | -| [Static Application Security Testing (SAST)](../sast/index.md) | Relies exclusively on [the tools GitLab wraps](../sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. | - -You do not have to update GitLab to benefit from the latest vulnerabilities definitions. -The security tools are released as Docker images. The vendored job definitions that enable them use -major release tags according to [semantic versioning](https://semver.org/). Each new release of the -tools overrides these tags. -The Docker images are updated to match the previous GitLab releases. Although -you automatically get the latest versions of the scanning tools, -there are some [known issues](https://gitlab.com/gitlab-org/gitlab/-/issues/9725) -with this approach. diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md index 1c874c01884..20ec5dd0282 100644 --- a/doc/user/compliance/license_compliance/index.md +++ b/doc/user/compliance/license_compliance/index.md @@ -22,6 +22,8 @@ You can take advantage of License Compliance by either: [Auto License Compliance](../../../topics/autodevops/stages.md#auto-license-compliance), provided by [Auto DevOps](../../../topics/autodevops/index.md). +The current major version of the License Scanning analyzer is 3. + To detect the licenses in use, License Compliance uses the [License Finder](https://github.com/pivotal/LicenseFinder) scan tool that runs as part of the CI/CD pipeline. For the job to activate, License Finder needs to find a compatible package definition in the project directory. For details, see the [Activation on License Finder documentation](https://github.com/pivotal/LicenseFinder#activation). GitLab checks the License Compliance report, compares the @@ -674,7 +676,7 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest The process for importing Docker images into a local offline Docker registry depends on **your network security policy**. Please consult your IT staff to find an accepted and approved -process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../../application_security/vulnerabilities/index.md#vulnerability-scanner-maintenance) +process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../../application_security/index.md#vulnerability-scanner-maintenance) with new definitions, so consider if you are able to make periodic updates yourself. For details on saving and transporting Docker images as a file, see Docker's documentation on diff --git a/locale/gitlab.pot b/locale/gitlab.pot index d12028ae4eb..c057a3f57e3 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -28,15 +28,9 @@ msgstr "" msgid " Please sign in." msgstr "" -msgid " Target Path" -msgstr "" - msgid " Try to %{action} this file again." msgstr "" -msgid " Type" -msgstr "" - msgid " You need to do this before %{grace_period_deadline}." msgstr "" @@ -6136,9 +6130,6 @@ msgstr "" msgid "Broadcast Messages" msgstr "" -msgid "Broadcast messages are displayed for every user and can be used to notify users about scheduled maintenance, recent upgrades and more." -msgstr "" - msgid "Browse Directory" msgstr "" @@ -31732,6 +31723,12 @@ msgstr "" msgid "Saving project." msgstr "" +msgid "ScanResultPolicy|%{thenLabelStart}Then%{thenLabelEnd} Require approval from %{approvalsRequired} of the following approvers: %{approvers}" +msgstr "" + +msgid "ScanResultPolicy|add an approver" +msgstr "" + msgid "Scanner" msgstr "" @@ -35702,6 +35699,9 @@ msgstr "" msgid "Target branch" msgstr "" +msgid "Target roles" +msgstr "" + msgid "Target-Branch" msgstr "" @@ -36190,6 +36190,9 @@ msgstr "" msgid "The branch or tag does not exist" msgstr "" +msgid "The broadcast message displays only to users in projects and groups who have these roles." +msgstr "" + msgid "The character highlighter helps you keep the subject line to %{titleLength} characters and wrap the body at %{bodyLength} so they are readable in git." msgstr "" @@ -39435,6 +39438,9 @@ msgstr "" msgid "Use authorized_keys file to authenticate SSH keys" msgstr "" +msgid "Use banners and notifications to notify your users about scheduled maintenance, recent upgrades, and more." +msgstr "" + msgid "Use cURL" msgstr "" diff --git a/spec/features/admin/admin_broadcast_messages_spec.rb b/spec/features/admin/admin_broadcast_messages_spec.rb index 476dd4469bc..aaa1f08c84f 100644 --- a/spec/features/admin/admin_broadcast_messages_spec.rb +++ b/spec/features/admin/admin_broadcast_messages_spec.rb @@ -7,7 +7,12 @@ RSpec.describe 'Admin Broadcast Messages' do admin = create(:admin) sign_in(admin) gitlab_enable_admin_mode_sign_in(admin) - create(:broadcast_message, :expired, message: 'Migration to new server') + create( + :broadcast_message, + :expired, + message: 'Migration to new server', + target_access_levels: [Gitlab::Access::DEVELOPER] + ) visit admin_broadcast_messages_path end @@ -21,10 +26,13 @@ RSpec.describe 'Admin Broadcast Messages' do fill_in 'broadcast_message_target_path', with: '*/user_onboarded' fill_in 'broadcast_message_font', with: '#b94a48' select Date.today.next_year.year, from: 'broadcast_message_ends_at_1i' + select 'Guest', from: 'broadcast_message_target_access_levels' + select 'Owner', from: 'broadcast_message_target_access_levels' click_button 'Add broadcast message' expect(current_path).to eq admin_broadcast_messages_path expect(page).to have_content 'Application update from 4:00 CST to 5:00 CST' + expect(page).to have_content 'Guest, Owner' expect(page).to have_content '*/user_onboarded' expect(page).to have_selector 'strong', text: '4:00 CST to 5:00 CST' expect(page).to have_selector %(div[style="background-color: #f2dede; color: #b94a48"]) @@ -35,10 +43,14 @@ RSpec.describe 'Admin Broadcast Messages' do fill_in 'broadcast_message_target_path', with: '*/user_onboarded' select 'Notification', from: 'broadcast_message_broadcast_type' select Date.today.next_year.year, from: 'broadcast_message_ends_at_1i' + select 'Reporter', from: 'broadcast_message_target_access_levels' + select 'Developer', from: 'broadcast_message_target_access_levels' + select 'Maintainer', from: 'broadcast_message_target_access_levels' click_button 'Add broadcast message' expect(current_path).to eq admin_broadcast_messages_path expect(page).to have_content 'Application update from 4:00 CST to 5:00 CST' + expect(page).to have_content 'Reporter, Developer, Maintainer' expect(page).to have_content '*/user_onboarded' expect(page).to have_content 'Notification' expect(page).to have_selector 'strong', text: '4:00 CST to 5:00 CST' @@ -47,10 +59,15 @@ RSpec.describe 'Admin Broadcast Messages' do it 'edit an existing broadcast message' do click_link 'Edit' fill_in 'broadcast_message_message', with: 'Application update RIGHT NOW' + select 'Reporter', from: 'broadcast_message_target_access_levels' click_button 'Update broadcast message' expect(current_path).to eq admin_broadcast_messages_path expect(page).to have_content 'Application update RIGHT NOW' + + page.within('.table-responsive') do + expect(page).to have_content 'Reporter, Developer' + end end it 'remove an existing broadcast message' do diff --git a/spec/helpers/broadcast_messages_helper_spec.rb b/spec/helpers/broadcast_messages_helper_spec.rb index 3e8cbdf89a0..e721a3fdc95 100644 --- a/spec/helpers/broadcast_messages_helper_spec.rb +++ b/spec/helpers/broadcast_messages_helper_spec.rb @@ -3,6 +3,71 @@ require 'spec_helper' RSpec.describe BroadcastMessagesHelper do + include Gitlab::Routing.url_helpers + + let_it_be(:user) { create(:user) } + + before do + allow(helper).to receive(:current_user).and_return(user) + end + + shared_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL' do + let(:feature_flag_state) { true } + + before do + stub_feature_flags(role_targeted_broadcast_messages: feature_flag_state) + allow(helper).to receive(:cookies) { {} } + end + + context 'when in a project page' do + let_it_be(:project) { create(:project) } + + before do + project.add_developer(user) + + assign(:project, project) + allow(helper).to receive(:controller) { ProjectsController.new } + end + + it { is_expected.to eq message } + + context 'when feature flag is disabled' do + let(:feature_flag_state) { false } + + it { is_expected.to be_nil } + end + end + + context 'when in a group page' do + let_it_be(:group) { create(:group) } + + before do + group.add_developer(user) + + assign(:group, group) + allow(helper).to receive(:controller) { GroupsController.new } + end + + it { is_expected.to eq message } + + context 'when feature flag is disabled' do + let(:feature_flag_state) { false } + + it { is_expected.to be_nil } + end + end + + context 'when not in a project, group, or sub-group page' do + it { is_expected.to be_nil } + + context 'when feature flag is disabled' do + let(:feature_flag_state) { false } + + it { is_expected.to be_nil } + end + end + end + describe 'current_broadcast_notification_message' do subject { helper.current_broadcast_notification_message } @@ -24,17 +89,27 @@ RSpec.describe BroadcastMessagesHelper do context 'without broadcast notification messages' do it { is_expected.to be_nil } end + + describe 'user access level targeted messages' do + let_it_be(:message) { create(:broadcast_message, broadcast_type: 'notification', starts_at: Time.now, target_access_levels: [Gitlab::Access::DEVELOPER]) } + + include_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL' + end + end + + describe 'current_broadcast_banner_messages' do + describe 'user access level targeted messages' do + let_it_be(:message) { create(:broadcast_message, broadcast_type: 'banner', starts_at: Time.now, target_access_levels: [Gitlab::Access::DEVELOPER]) } + + subject { helper.current_broadcast_banner_messages.first } + + include_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL' + end end describe 'broadcast_message' do - let_it_be(:user) { create(:user) } - let(:current_broadcast_message) { BroadcastMessage.new(message: 'Current Message') } - before do - allow(helper).to receive(:current_user).and_return(user) - end - it 'returns nil when no current message' do expect(helper.broadcast_message(nil)).to be_nil end diff --git a/spec/models/broadcast_message_spec.rb b/spec/models/broadcast_message_spec.rb index d981189c6f1..3a072cfe2ec 100644 --- a/spec/models/broadcast_message_spec.rb +++ b/spec/models/broadcast_message_spec.rb @@ -23,6 +23,8 @@ RSpec.describe BroadcastMessage do it { is_expected.to allow_value(1).for(:broadcast_type) } it { is_expected.not_to allow_value(nil).for(:broadcast_type) } + it { is_expected.not_to allow_value(nil).for(:target_access_levels) } + it { is_expected.to validate_inclusion_of(:target_access_levels).in_array(described_class::ALLOWED_TARGET_ACCESS_LEVELS) } end shared_examples 'time constrainted' do |broadcast_type| @@ -175,12 +177,48 @@ RSpec.describe BroadcastMessage do end end + shared_examples "matches with user access level" do |broadcast_type| + context 'when target_access_levels is empty' do + let_it_be(:message) { create(:broadcast_message, target_access_levels: [], broadcast_type: broadcast_type) } + + it 'returns the message if user access level is not nil' do + expect(subject.call(nil, Gitlab::Access::MINIMAL_ACCESS)).to include(message) + end + + it 'returns the message if user access level is nil' do + expect(subject.call(nil, nil)).to include(message) + end + end + + context 'when target_access_levels is not empty' do + let_it_be(:target_access_levels) { [Gitlab::Access::GUEST] } + let_it_be(:message) { create(:broadcast_message, target_access_levels: target_access_levels, broadcast_type: broadcast_type) } + + it "does not return the message if user access level is nil" do + expect(subject.call(nil, nil)).to be_empty + end + + it "returns the message if user access level is in target_access_levels" do + expect(subject.call(nil, Gitlab::Access::GUEST)).to include(message) + end + + it "does not return the message if user access level is not in target_access_levels" do + expect(subject.call(nil, Gitlab::Access::MINIMAL_ACCESS)).to be_empty + end + end + end + describe '.current', :use_clean_rails_memory_store_caching do - subject { -> (path = nil) { described_class.current(path) } } + subject do + -> (path = nil, user_access_level = nil) do + described_class.current(current_path: path, user_access_level: user_access_level) + end + end it_behaves_like 'time constrainted', :banner it_behaves_like 'message cache', :banner it_behaves_like 'matches with current path', :banner + it_behaves_like 'matches with user access level', :banner it 'returns both types' do banner_message = create(:broadcast_message, broadcast_type: :banner) @@ -191,11 +229,16 @@ RSpec.describe BroadcastMessage do end describe '.current_banner_messages', :use_clean_rails_memory_store_caching do - subject { -> (path = nil) { described_class.current_banner_messages(path) } } + subject do + -> (path = nil, user_access_level = nil) do + described_class.current_banner_messages(current_path: path, user_access_level: user_access_level) + end + end it_behaves_like 'time constrainted', :banner it_behaves_like 'message cache', :banner it_behaves_like 'matches with current path', :banner + it_behaves_like 'matches with user access level', :banner it 'only returns banners' do banner_message = create(:broadcast_message, broadcast_type: :banner) @@ -206,11 +249,16 @@ RSpec.describe BroadcastMessage do end describe '.current_notification_messages', :use_clean_rails_memory_store_caching do - subject { -> (path = nil) { described_class.current_notification_messages(path) } } + subject do + -> (path = nil, user_access_level = nil) do + described_class.current_notification_messages(current_path: path, user_access_level: user_access_level) + end + end it_behaves_like 'time constrainted', :notification it_behaves_like 'message cache', :notification it_behaves_like 'matches with current path', :notification + it_behaves_like 'matches with user access level', :notification it 'only returns notifications' do notification_message = create(:broadcast_message, broadcast_type: :notification) diff --git a/spec/views/admin/broadcast_messages/index.html.haml_spec.rb b/spec/views/admin/broadcast_messages/index.html.haml_spec.rb new file mode 100644 index 00000000000..e1dc76428df --- /dev/null +++ b/spec/views/admin/broadcast_messages/index.html.haml_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'admin/broadcast_messages/index' do + describe 'Target roles select and table column' do + let(:feature_flag_state) { true } + + let_it_be(:message) { create(:broadcast_message, broadcast_type: 'banner', target_access_levels: [Gitlab::Access::GUEST, Gitlab::Access::DEVELOPER]) } + + before do + assign(:broadcast_messages, BroadcastMessage.page(1)) + assign(:broadcast_message, BroadcastMessage.new) + + stub_feature_flags(role_targeted_broadcast_messages: feature_flag_state) + + render + end + + it 'rendered' do + expect(rendered).to have_content('Target roles') + expect(rendered).to have_content('Owner') + expect(rendered).to have_content('Guest, Developer') + end + + context 'when feature flag is off' do + let(:feature_flag_state) { false } + + it 'is not rendered' do + expect(rendered).not_to have_content('Target roles') + expect(rendered).not_to have_content('Owner') + expect(rendered).not_to have_content('Guest, Developer') + end + end + end +end