Merge branch '218746-copy-secrets-on-retry' into 'master'

Copy CI secrets when retrying a job [RUN AS-IF-FOSS]

Closes #218746

See merge request gitlab-org/gitlab!40458

app/services/ci/retry_build_service.rb

@@ -2,11 +2,13 @@
 
 module Ci
   class RetryBuildService < ::BaseService
-    CLONE_ACCESSORS = %i[pipeline project ref tag options name
-                         allow_failure stage stage_id stage_idx trigger_request
-                         yaml_variables when environment coverage_regex
-                         description tag_list protected needs_attributes
-                         resource_group scheduling_type].freeze
+    def self.clone_accessors
+      %i[pipeline project ref tag options name
+         allow_failure stage stage_id stage_idx trigger_request
+         yaml_variables when environment coverage_regex
+         description tag_list protected needs_attributes
+         resource_group scheduling_type].freeze
+    end
 
     def execute(build)
       build.ensure_scheduling_type!
@@ -28,7 +30,7 @@ module Ci
         raise Gitlab::Access::AccessDeniedError
       end
 
-      attributes = CLONE_ACCESSORS.map do |attribute|
+      attributes = self.class.clone_accessors.map do |attribute|
         [attribute, build.public_send(attribute)] # rubocop:disable GitlabSecurity/PublicSend
       end.to_h
 
@@ -68,3 +70,5 @@ module Ci
     end
   end
 end
+
+Ci::RetryBuildService.prepend_if_ee('EE::Ci::RetryBuildService')

ee/app/services/ee/ci/retry_build_service.rb

+# frozen_string_literal: true
+
+module EE
+  module Ci
+    module RetryBuildService
+      extend ActiveSupport::Concern
+
+      class_methods do
+        extend ::Gitlab::Utils::Override
+
+        override :clone_accessors
+        def clone_accessors
+          (super + %i[secrets]).freeze
+        end
+      end
+    end
+  end
+end

ee/spec/services/ci/retry_build_service_spec.rb

@@ -3,4 +3,48 @@ require 'spec_helper'
 
 RSpec.describe Ci::RetryBuildService do
   it_behaves_like 'restricts access to protected environments'
+
+  describe '#reprocess' do
+    context 'when user has ability to execute build' do
+      let(:user) { create(:user) }
+      let(:build) { create(:ci_build) }
+      let(:project) { build.project }
+
+      subject(:service) { described_class.new(project, user) }
+
+      let(:new_build) do
+        Timecop.freeze(1.second.from_now) do
+          service.reprocess!(build)
+        end
+      end
+
+      before do
+        stub_not_protect_default_branch
+
+        project.add_developer(user)
+      end
+
+      context 'when build has secrets' do
+        let(:secrets) do
+          {
+            'DATABASE_PASSWORD' => {
+              'vault' => {
+                'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' },
+                'path' => 'production/db',
+                'field' => 'password'
+              }
+            }
+          }
+        end
+
+        before do
+          build.update!(secrets: secrets)
+        end
+
+        it 'clones secrets' do
+          expect(new_build.secrets).to eq(secrets)
+        end
+      end
+    end
+  end
 end

spec/services/ci/retry_build_service_spec.rb

@@ -22,7 +22,7 @@ RSpec.describe Ci::RetryBuildService do
     described_class.new(project, user)
   end
 
-  clone_accessors = described_class::CLONE_ACCESSORS
+  clone_accessors = described_class.clone_accessors
 
   reject_accessors =
     %i[id status user token token_encrypted coverage trace runner
@@ -143,6 +143,8 @@ RSpec.describe Ci::RetryBuildService do
         Ci::Build.reflect_on_all_associations.map(&:name) +
         [:tag_list, :needs_attributes]
 
+      current_accessors << :secrets if Gitlab.ee?
+
       current_accessors.uniq!
 
       expect(current_accessors).to include(*processed_accessors)