Adds option for projects to only mirror protected branches.

app/models/project.rb

@@ -60,6 +60,7 @@ class Project < ActiveRecord::Base
   default_value_for :wiki_enabled, gitlab_config_features.wiki
   default_value_for :snippets_enabled, gitlab_config_features.snippets
   default_value_for :only_allow_merge_if_all_discussions_are_resolved, false
+  default_value_for :only_mirror_protected_branches, true
 
   add_authentication_token_field :runners_token
   before_save :ensure_runners_token

changelogs/unreleased-ee/3844-add-option-to-projects-to-only-import-protected-branches.yml

+---
+title: Add option for projects to only mirror protected branches.
+merge_request: 3326
+author:
+type: added

db/migrate/20171109115718_add_only_mirror_protected_branches_to_projects.rb

+class AddOnlyMirrorProtectedBranchesToProjects < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def change
+    add_column :projects, :only_mirror_protected_branches, :boolean
+  end
+end

db/schema.rb

@@ -1840,6 +1840,7 @@ ActiveRecord::Schema.define(version: 20171124165823) do
     t.integer "storage_version", limit: 2
     t.boolean "resolve_outdated_diff_discussions"
     t.boolean "remote_mirror_available_overridden"
+    t.boolean "only_mirror_protected_branches"
   end
 
   add_index "projects", ["ci_id"], name: "index_projects_on_ci_id", using: :btree

doc/workflow/repository_mirroring.md

@@ -84,6 +84,14 @@ this branch to prevent any changes from being lost.
 
 ![Diverged branch](repository_mirroring/repository_mirroring_diverged_branch.png)
 
+### Pull only protected branches
+
+>[Introduced][ee-3326] in Gitlab Enterprise Edition 10.3.
+
+You can choose to only pull the protected branches from your remote repository to GitLab.
+
+To use this option go to your project's repository settings page under pull mirror.
+
 ### Hard failure
 
 >[Introduced][ee-3117] in GitLab Enterprise Edition 10.2.

ee/app/controllers/projects/mirrors_controller.rb

@@ -84,6 +84,7 @@ class Projects::MirrorsController < Projects::ApplicationController
       :username_only_import_url,
       :mirror_user_id,
       :mirror_trigger_builds,
+      :only_mirror_protected_branches,
 
       import_data_attributes: %i[
         id

ee/app/services/projects/update_mirror_service.rb

@@ -33,6 +33,8 @@ module Projects
       repository.upstream_branches.each do |upstream_branch|
         name = upstream_branch.name
 
+        next if skip_branch?(name)
+
         local_branch = local_branches[name]
 
         if local_branch.nil?
@@ -98,5 +100,9 @@ module Projects
     def repository_tags_with_target
       repository.tags.select(&:dereferenced_target)
     end
+
+    def skip_branch?(name)
+      project.only_mirror_protected_branches && !ProtectedBranch.protected?(project,name)
+    end
   end
 end

ee/app/views/projects/mirrors/_pull.html.haml

@@ -40,6 +40,14 @@
           This user will be the author of all events in the activity feed that are the result of an update,
           like new branches being created or new commits being pushed to existing branches.
           You can only assign yourself to be the mirror user.
+
+      .form-group
+        = f.check_box :only_mirror_protected_branches, class: 'pull-left'
+        .prepend-left-20
+          = f.label :only_mirror_protected_branches, class: 'label-light'
+          = link_to icon('question-circle'), help_page_path('user/project/protected_branches')
+
       - if @project.builds_enabled?
         = render "shared/mirror_trigger_builds_setting", f: f
+
       = f.submit 'Save changes', class: 'btn btn-create', name: 'update_remote_mirror'

ee/app/views/shared/ee/_import_form.html.haml

@@ -11,5 +11,4 @@
       .help-block
         Mirroring will only be available if the feature is included in the plan of the selected group or user.
 
-
   = f.hidden_field :mirror_user_id, value: current_user.id

lib/gitlab/import_export/import_export.yml

@@ -107,6 +107,7 @@ excluded_attributes:
     - :mirror_trigger_builds
     - :storage_version
     - :remote_mirror_available_overridden
+    - :only_mirror_protected_branches
   snippets:
     - :expired_at
   merge_request_diff:

spec/services/projects/update_mirror_service_spec.rb

 require 'spec_helper'
 
 describe Projects::UpdateMirrorService do
-  let(:project) { create(:project, :repository, :mirror, import_url: Project::UNKNOWN_IMPORT_URL) }
+  let(:project) do
+    create(:project, :repository, :mirror, import_url: Project::UNKNOWN_IMPORT_URL, only_mirror_protected_branches: false)
+  end
 
   describe "#execute" do
     context 'unlicensed' do
@@ -53,6 +55,55 @@ describe Projects::UpdateMirrorService do
     end
 
     describe "updating branches" do
+      context 'when mirror only protected branches option is set' do
+        let(:new_protected_branch_name) { 'new-branch' }
+        let(:protected_branch_name) { 'existing-branch' }
+
+        before do
+          project.update_attributes(only_mirror_protected_branches: true)
+        end
+
+        it 'creates a new protected branch' do
+          create(:protected_branch, project: project, name: new_protected_branch_name)
+          project.reload
+
+          stub_fetch_mirror(project)
+
+          described_class.new(project, project.owner).execute
+
+          expect(project.repository.branch_names).to include(new_protected_branch_name)
+        end
+
+        it 'does not create a unprotected branch' do
+          stub_fetch_mirror(project)
+
+          described_class.new(project, project.owner).execute
+
+          expect(project.repository.branch_names).not_to include(new_protected_branch_name)
+        end
+
+        it 'updates existing protected branches' do
+          create(:protected_branch, project: project, name: protected_branch_name)
+          project.reload
+
+          stub_fetch_mirror(project)
+
+          described_class.new(project, project.owner).execute
+
+          expect(project.repository.find_branch(protected_branch_name).dereferenced_target)
+            .to eq(project.repository.find_branch('master').dereferenced_target)
+        end
+
+        it "does not update unprotected branches" do
+          stub_fetch_mirror(project)
+
+          described_class.new(project, project.owner).execute
+
+          expect(project.repository.find_branch(protected_branch_name).dereferenced_target)
+            .not_to eq(project.repository.find_branch('master').dereferenced_target)
+        end
+      end
+
       it "creates new branches" do
         stub_fetch_mirror(project)