Solution 1. Persists protected(ref) flag on ci_pipelines table....

Solution 1. Persists protected(ref) flag on ci_pipelines table. builds_for_shared_runner and builds_for_specific_runner read the flag instead of executing protected_for? one by one.

app/models/ci/build.rb

@@ -35,6 +35,16 @@ module Ci
     scope :last_month, ->() { where('created_at > ?', Date.today - 1.month) }
     scope :manual_actions, ->() { where(when: :manual, status: COMPLETED_STATUSES + [:manual]) }
 
+    scope :on_protected, ->() do
+      joins("LEFT JOIN ci_pipelines ON ci_builds.commit_id = ci_pipelines.id")
+      .where('ci_pipelines.protected IS TRUE')
+    end
+
+    scope :unprotected, ->() do
+      joins("LEFT JOIN ci_pipelines ON ci_builds.commit_id = ci_pipelines.id")
+      .where('ci_pipelines.protected IS FALSE')
+    end
+
     mount_uploader :artifacts_file, ArtifactUploader
     mount_uploader :artifacts_metadata, ArtifactUploader
 

app/services/ci/create_pipeline_service.rb

@@ -12,7 +12,8 @@ module Ci
         tag: tag?,
         trigger_requests: Array(trigger_request),
         user: current_user,
-        pipeline_schedule: schedule
+        pipeline_schedule: schedule,
+        protected: protected?
       )
 
       result = validate(current_user,
@@ -175,6 +176,10 @@ module Ci
       origin_sha && origin_sha != Gitlab::Git::BLANK_SHA
     end
 
+    def protected?
+      project.protected_for?(ref)
+    end
+
     def error(message, save: false)
       pipeline.tap do
         pipeline.errors.add(:base, message)

app/services/ci/register_job_service.rb

@@ -54,21 +54,25 @@ module Ci
     private
 
     def builds_for_shared_runner
-      new_builds.
+      b = new_builds.
         # don't run projects which have not enabled shared runners and builds
         joins(:project).where(projects: { shared_runners_enabled: true, pending_delete: false })
         .joins('LEFT JOIN project_features ON ci_builds.project_id = project_features.project_id')
-        .where('project_features.builds_access_level IS NULL or project_features.builds_access_level > 0').
+        .where('project_features.builds_access_level IS NULL or project_features.builds_access_level > 0')
+
+      b = runner.protected? ? b.on_protected : b.unprotected
 
         # Implement fair scheduling
         # this returns builds that are ordered by number of running builds
         # we prefer projects that don't use shared runners at all
-        joins("LEFT JOIN (#{running_builds_for_shared_runners.to_sql}) AS project_builds ON ci_builds.project_id=project_builds.project_id")
+      b.joins("LEFT JOIN (#{running_builds_for_shared_runners.to_sql}) AS project_builds ON ci_builds.project_id=project_builds.project_id")
        .order('COALESCE(project_builds.running_builds, 0) ASC', 'ci_builds.id ASC')
     end
 
     def builds_for_specific_runner
-      new_builds.where(project: runner.projects.without_deleted.with_builds_enabled).order('created_at ASC')
+      b = new_builds.where(project: runner.projects.without_deleted.with_builds_enabled)
+      b = runner.protected? ? b.on_protected : b.unprotected
+      b.order('created_at ASC')
     end
 
     def running_builds_for_shared_runners

db/migrate/20170731132235_add_protected_to_ci_pipelines.rb

+class AddProtectedToCiPipelines < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:ci_pipelines, :protected, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:ci_pipelines, :protected)
+  end
+end

db/schema.rb

@@ -336,6 +336,7 @@ ActiveRecord::Schema.define(version: 20170824162758) do
     t.integer "auto_canceled_by_id"
     t.integer "pipeline_schedule_id"
     t.integer "source"
+    t.boolean "protected", default: false, null: false
   end
 
   add_index "ci_pipelines", ["auto_canceled_by_id"], name: "index_ci_pipelines_on_auto_canceled_by_id", using: :btree