Changelog, docs, and API support

app/views/projects/variables/_form.html.haml

@@ -12,7 +12,7 @@
     = f.text_field :scope, class: "form-control", placeholder: "*"
     .help-block
       This variable will be passed only to jobs with a matching environment name. * is a wildcard
-      = link_to icon('question-circle'), help_page_path('ci/variables/README', anchor: 'scope'), target: '_blank'
+      = link_to icon('question-circle'), help_page_path('ci/variables/README', anchor: 'secret-variable-scope'), target: '_blank'
   .form-group
     .checkbox
       = f.label :protected do

changelogs/unreleased-ee/2302-environment-specific-variables.yml

+---
+title: Add scope to secret variables to specify environments
+merge_request: 2112
+author:

doc/api/build_variables.md

@@ -67,6 +67,7 @@ POST /projects/:id/variables
 | `key`       | string  | yes      | The `key` of a variable; must have no more than 255 characters; only `A-Z`, `a-z`, `0-9`, and `_` are allowed |
 | `value`     | string  | yes      | The `value` of a variable |
 | `protected` | boolean | no       | Whether the variable is protected |
+| `scope`     | string  | no       | The `scope` of the variable |
 
 ```
 curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/projects/1/variables" --form "key=NEW_VARIABLE" --form "value=new value"
@@ -76,7 +77,8 @@ curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitl
 {
     "key": "NEW_VARIABLE",
     "value": "new value",
-    "protected": false
+    "protected": false,
+    "scope": "*"
 }
 ```
 
@@ -94,6 +96,7 @@ PUT /projects/:id/variables/:key
 | `key`       | string  | yes      | The `key` of a variable   |
 | `value`     | string  | yes      | The `value` of a variable |
 | `protected` | boolean | no       | Whether the variable is protected |
+| `scope`     | string  | no       | The `scope` of the variable |
 
 ```
 curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/projects/1/variables/NEW_VARIABLE" --form "value=updated value"
@@ -103,7 +106,8 @@ curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitla
 {
     "key": "NEW_VARIABLE",
     "value": "updated value",
-    "protected": true
+    "protected": true,
+    "scope": "*"
 }
 ```
 

doc/ci/variables/README.md

@@ -176,6 +176,22 @@ Protected variables can be added by going to your project's
 
 Once you set them, they will be available for all subsequent pipelines.
 
+## Secret variable scope
+
+>**Notes:**
+This feature requires GitLab 9.4 or higher.
+
+The scope of a secret variable describes which environments should have this
+variable. The default scope is `*` which means any jobs should have this
+variable, having environments or not doesn't matter.
+
+If the scope is for example, `production`, then only the job having
+environment `production` would have this specific variable. Wildcard `*`
+could be used along with the name, therefore if the scope is `review/*`
+then any jobs with environments name starting with `review/` would have
+that particular variable. For example, `review/feature-01`, `review/bug-01`,
+and so on.
+
 ## Deployment variables
 
 >**Note:**

lib/api/entities.rb

@@ -751,6 +751,9 @@ module API
     class Variable < Grape::Entity
       expose :key, :value
       expose :protected?, as: :protected
+
+      # EE
+      expose :scope
     end
 
     class Pipeline < PipelineBasic

lib/api/variables.rb

@@ -43,9 +43,12 @@ module API
         requires :key, type: String, desc: 'The key of the variable'
         requires :value, type: String, desc: 'The value of the variable'
         optional :protected, type: String, desc: 'Whether the variable is protected'
+
+        # EE
+        optional :scope, type: String, desc: 'The scope of the variable'
       end
       post ':id/variables' do
-        variable = user_project.variables.create(declared(params, include_parent_namespaces: false).to_h)
+        variable = user_project.variables.create(declared_params(include_missing: false))
 
         if variable.valid?
           present variable, with: Entities::Variable
@@ -61,6 +64,9 @@ module API
         optional :key, type: String, desc: 'The key of the variable'
         optional :value, type: String, desc: 'The value of the variable'
         optional :protected, type: String, desc: 'Whether the variable is protected'
+
+        # EE
+        optional :scope, type: String, desc: 'The scope of the variable'
       end
       put ':id/variables/:key' do
         variable = user_project.variables.find_by(key: params[:key])

spec/requests/api/variables_spec.rb

@@ -89,6 +89,30 @@ describe API::Variables do
 
         expect(response).to have_http_status(400)
       end
+
+      # EE
+      it 'creates variable with a specific scope' do
+        expect do
+          post api("/projects/#{project.id}/variables", user), key: 'TEST_VARIABLE_2', value: 'VALUE_2', scope: 'review/*'
+        end.to change{project.variables.count}.by(1)
+
+        expect(response).to have_http_status(201)
+        expect(json_response['key']).to eq('TEST_VARIABLE_2')
+        expect(json_response['value']).to eq('VALUE_2')
+        expect(json_response['scope']).to eq('review/*')
+      end
+
+      # EE
+      it 'allows duplicated variable key given different scopes' do
+        expect do
+          post api("/projects/#{project.id}/variables", user), key: variable.key, value: 'VALUE_2', scope: 'review/*'
+        end.to change{project.variables.count}.by(1)
+
+        expect(response).to have_http_status(201)
+        expect(json_response['key']).to eq(variable.key)
+        expect(json_response['value']).to eq('VALUE_2')
+        expect(json_response['scope']).to eq('review/*')
+      end
     end
 
     context 'authorized user with invalid permissions' do