Commit 3c204d45 authored by Graeme Gillies's avatar Graeme Gillies

Merge branch '14-10-stable-ee-patch-3' into '14-10-stable-ee'

Prepare 14.10.3-ee release (2nd preparation MR)

See merge request gitlab-org/gitlab!88013
parents c594ad6d 8775bf4a
...@@ -87,7 +87,7 @@ module Projects ...@@ -87,7 +87,7 @@ module Projects
def permitted_project_params def permitted_project_params
[ [
:runners_token, :builds_enabled, :build_allow_git_fetch, :runners_token, :builds_enabled, :build_allow_git_fetch,
:build_timeout_human_readable, :build_coverage_regex, :public_builds, :build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches,
:auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled, :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy], auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled] ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]
......
...@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController ...@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController
:initialize_with_sast, :initialize_with_sast,
:initialize_with_readme, :initialize_with_readme,
:autoclose_referenced_issues, :autoclose_referenced_issues,
:ci_separated_caches,
:suggestion_commit_message, :suggestion_commit_message,
:packages_enabled, :packages_enabled,
:service_desk_enabled, :service_desk_enabled,
......
...@@ -911,6 +911,8 @@ module Ci ...@@ -911,6 +911,8 @@ module Ci
end end
end end
return cache unless project.ci_separated_caches
type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected' type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
cache.map do |entry| cache.map do |entry|
entry.merge(key: "#{entry[:key]}-#{type_suffix}") entry.merge(key: "#{entry[:key]}-#{type_suffix}")
......
...@@ -471,6 +471,7 @@ class Project < ApplicationRecord ...@@ -471,6 +471,7 @@ class Project < ApplicationRecord
delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?, delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,
......
...@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord ...@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
allow_nil: true allow_nil: true
default_value_for :forward_deployment_enabled, true default_value_for :forward_deployment_enabled, true
default_value_for :separated_caches, true
chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
......
- help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer' - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
- help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer' - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer' - help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
.row.gl-mt-3 .row.gl-mt-3
.col-lg-12 .col-lg-12
...@@ -24,6 +25,11 @@ ...@@ -24,6 +25,11 @@
= form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"), = form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"),
help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
.form-group
= f.gitlab_ui_checkbox_component :ci_separated_caches,
s_("CICD|Use separate caches for protected branches"),
help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
.form-group .form-group
= f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold' = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
= f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml' = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'
......
# frozen_string_literal: true
class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
enable_lock_retries!
def change
add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
end
end
8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file
...@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings ( ...@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings (
keep_latest_artifact boolean DEFAULT true NOT NULL, keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL, restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT false NOT NULL, job_token_scope_enabled boolean DEFAULT false NOT NULL,
runner_token_expiration_interval integer runner_token_expiration_interval integer,
separated_caches boolean DEFAULT true NOT NULL
); );
CREATE SEQUENCE project_ci_cd_settings_id_seq CREATE SEQUENCE project_ci_cd_settings_id_seq
...@@ -31,7 +31,7 @@ can't link to files outside it. ...@@ -31,7 +31,7 @@ can't link to files outside it.
- Subsequent pipelines can use the cache. - Subsequent pipelines can use the cache.
- Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical. - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
- Different projects cannot share the cache. - Different projects cannot share the cache.
- Protected and non-protected branches do not share the cache. - By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
### Artifacts ### Artifacts
...@@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep ...@@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep
If you use cache and artifacts to store the same path in your jobs, the cache might If you use cache and artifacts to store the same path in your jobs, the cache might
be overwritten because caches are restored before artifacts. be overwritten because caches are restored before artifacts.
### Segregation of caches between protected and non-protected branches #### Cache key names
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0.
...@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys: ...@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys:
| `main` | `main-protected` | | `main` | `main-protected` |
| `feature` | `feature-non_protected` | | `feature` | `feature-non_protected` |
##### Use the same cache for all branches
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
If you do not want to use [cache key names](#cache-key-names),
you can have all branches (protected and unprotected) use the same cache.
The cache separation with [cache key names](#cache-key-names) is a security feature
and should only be disabled in an environment where all users with Developer role are highly trusted.
To use the same cache for all branches:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > CI/CD**.
1. Expand **General pipelines**.
1. Clear the **Use separate caches for protected branches** checkbox.
1. Select **Save changes**.
### How archiving and extracting works ### How archiving and extracting works
This example shows two jobs in two consecutive stages: This example shows two jobs in two consecutive stages:
......
...@@ -99,6 +99,7 @@ module API ...@@ -99,6 +99,7 @@ module API
expose :ci_default_git_depth expose :ci_default_git_depth
expose :ci_forward_deployment_enabled expose :ci_forward_deployment_enabled
expose :ci_job_token_scope_enabled expose :ci_job_token_scope_enabled
expose :ci_separated_caches
expose :public_builds, as: :public_jobs expose :public_builds, as: :public_jobs
expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options| expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
project.build_allow_git_fetch ? 'fetch' : 'clone' project.build_allow_git_fetch ? 'fetch' : 'clone'
......
...@@ -6660,6 +6660,12 @@ msgstr "" ...@@ -6660,6 +6660,12 @@ msgstr ""
msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found." msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
msgstr "" msgstr ""
msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
msgstr ""
msgid "CICD|Use separate caches for protected branches"
msgstr ""
msgid "CICD|group enabled" msgid "CICD|group enabled"
msgstr "" msgstr ""
......
...@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do ...@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do
is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/))) is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
end end
end end
context 'when separated caches are disabled' do
before do
allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
end
context 'running on protected ref' do
before do
allow(build.pipeline).to receive(:protected_ref?).and_return(true)
end
it 'is expected to have no type suffix' do
is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
end
end
context 'running on not protected ref' do
before do
allow(build.pipeline).to receive(:protected_ref?).and_return(false)
end
it 'is expected to have no type suffix' do
is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
end
end
end
end end
context 'when project has jobs_cache_index' do context 'when project has jobs_cache_index' do
......
...@@ -99,6 +99,7 @@ ci_cd_settings: ...@@ -99,6 +99,7 @@ ci_cd_settings:
default_git_depth: ci_default_git_depth default_git_depth: ci_default_git_depth
forward_deployment_enabled: ci_forward_deployment_enabled forward_deployment_enabled: ci_forward_deployment_enabled
job_token_scope_enabled: ci_job_token_scope_enabled job_token_scope_enabled: ci_job_token_scope_enabled
separated_caches: ci_separated_caches
build_import_state: # import_state build_import_state: # import_state
unexposed_attributes: unexposed_attributes:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment