Update docs and use protected secret variable as the name

c4dded59 · Lin Jen-Shin · afc1fac0 · c4dded59 · c4dded59 · c4dded59
Commit c4dded59 authored May 31, 2017 by Lin Jen-Shin
9 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -185,7 +185,7 @@ module Ci
      variables += project.deployment_variables if has_environment?
      variables += yaml_variables
      variables += user_variables
-      variables += project.variables_for(ref)
+      variables += project.secret_variables_for(ref).map(&:to_runner_variable)
      variables += trigger_request.user_variables if trigger_request
      variables
    end

--- a/app/models/ci/variable.rb
+++ b/app/models/ci/variable.rb
@@ -12,6 +12,7 @@ module Ci
                message: "can contain only letters, digits and '_'." }
    scope :order_key_asc, -> { reorder(key: :asc) }
+    scope :unprotected, -> { where(protected: false) }
    attr_encrypted :value,
       mode: :per_attribute_iv_and_salt,

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1253,16 +1253,17 @@ class Project < ActiveRecord::Base
    variables
  end
-  def variables_for(ref)
+  def secret_variables_for(ref)
-    vars =
+    if protected_for?(ref)
-      if ProtectedBranch.protected?(self, ref) ||
+      variables
-          ProtectedTag.protected?(self, ref)
+    else
-        variables.to_a
+      variables.unprotected
-      else
+    end
-        variables.to_a.reject(&:protected?)
+  end
-      end
-    vars.map(&:to_runner_variable)
+  def protected_for?(ref)
+    ProtectedBranch.protected?(self, ref) ||
+      ProtectedTag.protected?(self, ref)
  end
  def deployment_variables

--- a/app/views/projects/variables/_content.html.haml
+++ b/app/views/projects/variables/_content.html.haml
 %h4.prepend-top-0
-  Secret and protected variables
+  Secret variables
+  = link_to icon('question-circle'), help_page_path('ci/variables/README', anchor: 'secret-variables'), target: '_blank'
 %p
-  These variables will be set to environment by the runner.
+  These variables will be set to environment by the runner, and could be protected by exposing only to protected branches or tags.
 %p
  So you can use them for passwords, secret keys or whatever you want.
 %p

--- a/app/views/projects/variables/_form.html.haml
+++ b/app/views/projects/variables/_form.html.haml
@@ -14,6 +14,6 @@
        %strong Protected
      .help-block
        This variable will be passed only to pipelines running on protected branches and tags
-        = link_to icon('question-circle'), help_page_path('ci/variables/README', anchor: 'protected-variables'), target: '_blank'
+        = link_to icon('question-circle'), help_page_path('ci/variables/README', anchor: 'protected-secret-variables'), target: '_blank'
  = f.submit btn_text, class: "btn btn-save"
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1474,4 +1474,4 @@ ActiveRecord::Schema.define(version: 20170524161101) do
  add_foreign_key "trending_projects", "projects", on_delete: :cascade
  add_foreign_key "u2f_registrations", "users"
  add_foreign_key "web_hook_logs", "web_hooks", on_delete: :cascade
 end
\ No newline at end of file
--- a/doc/ci/variables/README.md
+++ b/doc/ci/variables/README.md
@@ -154,24 +154,23 @@ storing things like passwords, secret keys and credentials.
 Secret variables can be added by going to your project's
 **Settings ➔ Pipelines**, then finding the section called
-**Secret and protected variables**.
+**Secret variables**.
 Once you set them, they will be available for all subsequent pipelines.
-## Protected variables
+## Protected secret variables
 >**Notes:**
- This feature requires GitLab Runner 0.4.0 or higher.
+- This feature requires GitLab 9.3 or higher, and GitLab Runner 0.4.0 or higher.
- A protected variable is a secret variable which is protected.
-All secret variables could be protected. Whenever a secret variable is
+Secret variables could be protected. Whenever a secret variable is
 protected, it would only be securely passed to pipelines running on the
-protected branches or protected tags. The other pipelines would not get any
+[protected branches] or [protected tags]. The other pipelines would not get any
 protected variables.
 Protected variables can be added by going to your project's
 **Settings ➔ Pipelines**, then finding the section called
-**Secret and protected variables**, and check *Protected*.
+**Secret variables**, and check *Protected*.
 Once you set them, they will be available for all subsequent pipelines.
@@ -403,3 +402,5 @@ export CI_REGISTRY_PASSWORD="longalfanumstring"
 [runner]: https://docs.gitlab.com/runner/
 [triggered]: ../triggers/README.md
 [triggers]: ../triggers/README.md#pass-job-variables-to-a-trigger
+[protected branches]: ../../user/project/protected_branches.md
+[protected tags]: ../../user/project/protected_tags.md
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1379,15 +1379,30 @@ describe Ci::Build, :models do
    end
    context 'returns variables in valid order' do
+      let(:build_pre_var) { { key: 'build', value: 'value' } }
+      let(:project_pre_var) { { key: 'project', value: 'value' } }
+      let(:pipeline_pre_var) { { key: 'pipeline', value: 'value' } }
+      let(:build_yaml_var) { { key: 'yaml', value: 'value' } }
      before do
-        allow(build).to receive(:predefined_variables) { ['predefined'] }
+        allow(build).to receive(:predefined_variables) { [build_pre_var] }
-        allow(project).to receive(:predefined_variables) { ['project'] }
+        allow(project).to receive(:predefined_variables) { [project_pre_var] }
-        allow(pipeline).to receive(:predefined_variables) { ['pipeline'] }
+        allow(pipeline).to receive(:predefined_variables) { [pipeline_pre_var] }
-        allow(build).to receive(:yaml_variables) { ['yaml'] }
+        allow(build).to receive(:yaml_variables) { [build_yaml_var] }
-        allow(project).to receive(:variables_for).with(build.ref) { ['secret'] }
+        allow(project).to receive(:secret_variables_for).with(build.ref) do
+          [create(:ci_variable, key: 'secret', value: 'value')]
+        end
      end
-      it { is_expected.to eq(%w[predefined project pipeline yaml secret]) }
+      it do
+        is_expected.to eq(
+          [build_pre_var,
+           project_pre_var,
+           pipeline_pre_var,
+           build_yaml_var,
+           { key: 'secret', value: 'value', public: false }])
+      end
    end
  end

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1735,7 +1735,7 @@ describe Project, models: true do
    end
  end
-  describe '#variables_for' do
+  describe '#secret_variables_for' do
    let(:project) { create(:empty_project) }
    let!(:secret_variable) do
@@ -1746,7 +1746,7 @@ describe Project, models: true do
      create(:ci_variable, :protected, value: 'protected', project: project)
    end
-    subject { project.variables_for('ref') }
+    subject { project.secret_variables_for('ref') }
    shared_examples 'ref is protected' do
      it 'contains all the variables' do