Merge branch 'ce-upstream1' into 'master'

CE upstream



See merge request !348

.rubocop.yml

@@ -706,7 +706,7 @@ Metrics/ClassLength:
 # of test cases needed to validate a method.
 Metrics/CyclomaticComplexity:
   Enabled: true
-  Max: 17
+  Max: 18
 
 # Limit lines to 80 characters.
 Metrics/LineLength:

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.7.0 (unreleased)
+  - Transactions for /internal/allowed now have an "action" tag set
   - Method instrumentation now uses Module#prepend instead of aliasing methods
   - Repository.clean_old_archives is now instrumented
   - Add support for environment variables on a job level in CI configuration file
@@ -13,18 +14,21 @@ v 8.7.0 (unreleased)
   - Project switcher uses new dropdown styling
   - Load award emoji images separately unless opening the full picker. Saves several hundred KBs of data for most pages. (Connor Shea)
   - Do not include award_emojis in issue and merge_request comment_count !3610 (Lucas Charles)
+  - Restrict user profiles when public visibility level is restricted.
   - All images in discussions and wikis now link to their source files !3464 (Connor Shea).
   - Return status code 303 after a branch DELETE operation to avoid project deletion (Stan Hu)
   - Add setting for customizing the list of trusted proxies !3524
   - Allow projects to be transfered to a lower visibility level group
   - Fix `signed_in_ip` being set to 127.0.0.1 when using a reverse proxy !3524
   - Improved Markdown rendering performance !3389
+  - Make shared runners text in box configurable
   - Don't attempt to look up an avatar in repo if repo directory does not exist (Stan Hu)
   - API: Ability to subscribe and unsubscribe from issues and merge requests (Robert Schilling)
   - Expose project badges in project settings
   - Make /profile/keys/new redirect to /profile/keys for back-compat. !3717
   - Preserve time notes/comments have been updated at when moving issue
   - Make HTTP(s) label consistent on clone bar (Stan Hu)
+  - Add support for `after_script`, requires Runner 1.2 (Kamil Trzciński)
   - Expose label description in API (Mariusz Jachimowicz)
   - API: Ability to update a group (Robert Schilling)
   - API: Ability to move issues (Robert Schilling)
@@ -49,6 +53,7 @@ v 8.7.0 (unreleased)
   - Use rugged to change HEAD in Project#change_head (P.S.V.R)
   - API: Ability to filter milestones by state `active` and `closed` (Robert Schilling)
   - API: Fix milestone filtering by `iid` (Robert Schilling)
+  - Make before_script and after_script overridable on per-job (Kamil Trzciński)
   - API: Delete notes of issues, snippets, and merge requests (Robert Schilling)
   - Implement 'Groups View' as an option for dashboard preferences !3379 (Elias W.)
   - Better errors handling when creating milestones inside groups
@@ -84,6 +89,15 @@ v 8.7.0 (unreleased)
   - Author and participants are displayed first on users autocompletion
   - Show number sign on external issue reference text (Florent Baldino)
   - Updated print style for issues
+  - Use GitHub Issue/PR number as iid to keep references
+  - Import GitHub labels
+  - Import GitHub milestones
+  - Fix emoji catgories in the emoji picker
+  - Execute system web hooks on push to the project
+  - Allow enable/disable push events for system hooks
+
+v 8.6.7 (unreleased)
+  - Fix vulnerability that made it possible to enumerate private projects belonging to group
 
 v 8.6.6
   - Expire the exists cache before deletion to ensure project dir actually exists (Stan Hu). !3413

Gemfile

@@ -325,7 +325,7 @@ end
 
 gem "newrelic_rpm", '~> 3.14'
 
-gem 'octokit', '~> 3.8.0'
+gem 'octokit', '~> 4.3.0'
 
 gem "mail_room", "~> 0.6.1"
 

Gemfile.lock

@@ -509,8 +509,8 @@ GEM
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (~> 1.2)
-    octokit (3.8.0)
-      sawyer (~> 0.6.0, >= 0.5.3)
+    octokit (4.3.0)
+      sawyer (~> 0.7.0, >= 0.5.3)
     omniauth (1.3.1)
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
@@ -736,8 +736,8 @@ GEM
       sprockets (>= 2.8, < 4.0)
       sprockets-rails (>= 2.0, < 4.0)
       tilt (>= 1.1, < 3)
-    sawyer (0.6.0)
-      addressable (~> 2.3.5)
+    sawyer (0.7.0)
+      addressable (>= 2.3.5, < 2.5)
       faraday (~> 0.8, < 0.10)
     scss_lint (0.47.1)
       rake (>= 0.9, < 11)
@@ -1001,7 +1001,7 @@ DEPENDENCIES
   newrelic_rpm (~> 3.14)
   nokogiri (~> 1.6.7, >= 1.6.7.2)
   oauth2 (~> 1.0.0)
-  octokit (~> 3.8.0)
+  octokit (~> 4.3.0)
   omniauth (~> 1.3.1)
   omniauth-auth0 (~> 1.4.1)
   omniauth-azure-oauth2 (~> 0.0.6)

app/assets/javascripts/application.js.coffee

@@ -177,7 +177,7 @@ $ ->
   $('.trigger-submit').on 'change', ->
     $(@).parents('form').submit()
 
-  gl.utils.localTimeAgo($('abbr.timeago, .js-timeago'), false)
+  gl.utils.localTimeAgo($('abbr.timeago, .js-timeago'), true)
 
   # Flash
   if (flash = $(".flash-container")).length > 0

app/assets/javascripts/dropzone_input.js.coffee

@@ -61,6 +61,7 @@ class @DropzoneInput
         return
 
       drop: ->
+        $mdArea.removeClass 'is-dropzone-hover'
         form.find(".div-dropzone-hover").css "opacity", 0
         form_textarea.focus()
         return

app/assets/javascripts/gl_dropdown.js.coffee

@@ -32,10 +32,8 @@ class GitLabDropdownFilter
       else if @input.val() is "" and $inputContainer.hasClass HAS_VALUE_CLASS
         $inputContainer.removeClass HAS_VALUE_CLASS
 
-      if keyCode is 13 and @input.val() isnt ""
-        if @options.enterCallback
-          @options.enterCallback()
-        return
+      if keyCode is 13
+        return false
 
       clearTimeout timeout
       timeout = setTimeout =>
@@ -132,7 +130,6 @@ class GitLabDropdown
       @filterInput = @getElement(FILTER_INPUT)
       @highlight = false
       @filterInputBlur = true
-      @enterCallback = true
     } = @options
 
     self = @
@@ -178,9 +175,6 @@ class GitLabDropdown
         callback: (data) =>
           currentIndex = -1
           @parseData data
-        enterCallback: =>
-          if @enterCallback
-            @selectRowAtIndex 0
 
     # Event listeners
 

app/assets/javascripts/merge_request_tabs.js.coffee

@@ -183,9 +183,10 @@ class @MergeRequestTabs
       else
         $diffLine = $('td', $diffLine)
 
-      $diffLine.addClass 'hll'
-      diffLineTop = $diffLine.offset().top
-      navBarHeight = $('.navbar-gitlab').outerHeight()
+      if $diffLine.length
+        $diffLine.addClass 'hll'
+        diffLineTop = $diffLine.offset().top
+        navBarHeight = $('.navbar-gitlab').outerHeight()
 
   loadBuilds: (source) ->
     return if @buildsLoaded

app/assets/javascripts/profile.js.coffee

@@ -45,9 +45,10 @@ class @Profile
 
   saveForm: ->
     self = @
-
     formData = new FormData(@form[0])
-    formData.append('user[avatar]', @avatarGlCrop.getBlob(), 'avatar.png')
+
+    avatarBlob = @avatarGlCrop.getBlob()
+    formData.append('user[avatar]', avatarBlob, 'avatar.png') if avatarBlob?
 
     $.ajax
       url: @form.attr('action')

app/assets/stylesheets/framework/header.scss

@@ -71,7 +71,7 @@ header {
   .header-content {
     position: relative;
     height: $header-height;
-    padding-right: 20px;
+    padding-right: 40px;
 
     @media (min-width: $screen-sm-min) {
       padding-right: 0;
@@ -122,6 +122,10 @@ header {
     }
   }
 
+  .project-item-select-holder {
+    display: inline;
+  }
+
   .impersonation i {
     color: $red-normal;
   }

app/assets/stylesheets/pages/note_form.scss

@@ -61,11 +61,11 @@
     padding: $gl-padding-top $gl-padding;
     border: 1px solid $note-form-border-color;
     border-radius: $border-radius-base;
+    transition: border-color ease-in-out 0.15s,
+                box-shadow ease-in-out 0.15s;
 
     &.is-focused {
-      border-color: $focus-border-color;
-      box-shadow: 0 0 2px $black-transparent,
-                  0 0 4px rgba($focus-border-color, .4);
+      @extend .form-control:focus;
 
       .comment-toolbar,
       .nav-links {

app/assets/stylesheets/pages/notes.scss

@@ -171,6 +171,11 @@ ul.notes {
 
       &.parallel {
         border-width: 1px;
+
+        .code,
+        code {
+          white-space: pre-wrap;
+        }
       }
 
       .notes {

app/controllers/admin/application_settings_controller.rb

@@ -76,6 +76,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       :admin_notification_email,
       :user_oauth_applications,
       :shared_runners_enabled,
+      :shared_runners_text,
       :max_artifacts_size,
       :max_pages_size,
       :metrics_enabled,

app/controllers/admin/hooks_controller.rb

@@ -39,6 +39,6 @@ class Admin::HooksController < Admin::ApplicationController
   end
 
   def hook_params
-    params.require(:hook).permit(:url, :enable_ssl_verification)
+    params.require(:hook).permit(:url, :enable_ssl_verification, :push_events, :tag_push_events)
   end
 end

app/controllers/projects/group_links_controller.rb

@@ -7,10 +7,12 @@ class Projects::GroupLinksController < Projects::ApplicationController
   end
 
   def create
-    link = project.project_group_links.new
-    link.group_id = params[:link_group_id]
-    link.group_access = params[:link_group_access]
-    link.save
+    group = Group.find(params[:link_group_id])
+    return render_404 unless can?(current_user, :read_group, group)
+
+    project.project_group_links.create(
+      group: group, group_access: params[:link_group_access]
+    )
 
     redirect_to namespace_project_group_links_path(project.namespace, project)
   end

app/controllers/users_controller.rb

 class UsersController < ApplicationController
   skip_before_action :authenticate_user!
-  before_action :set_user
+  before_action :user
+  before_action :authorize_read_user!, only: [:show]
 
   def show
     respond_to do |format|
@@ -75,22 +76,26 @@ class UsersController < ApplicationController
 
   private
 
-  def set_user
-    @user = User.find_by_username!(params[:username])
+  def authorize_read_user!
+    render_404 unless can?(current_user, :read_user, user)
+  end
+
+  def user
+    @user ||= User.find_by_username!(params[:username])
   end
 
   def contributed_projects
-    ContributedProjectsFinder.new(@user).execute(current_user)
+    ContributedProjectsFinder.new(user).execute(current_user)
   end
 
   def contributions_calendar
     @contributions_calendar ||= Gitlab::ContributionsCalendar.
-      new(contributed_projects, @user)
+      new(contributed_projects, user)
   end
 
   def load_events
     # Get user activity feed for projects common for both users
-    @events = @user.recent_events.
+    @events = user.recent_events.
       merge(projects_for_current_user).
       references(:project).
       with_associations.
@@ -99,16 +104,16 @@ class UsersController < ApplicationController
 
   def load_projects
     @projects =
-      PersonalProjectsFinder.new(@user).execute(current_user)
+      PersonalProjectsFinder.new(user).execute(current_user)
       .page(params[:page])
   end
 
   def load_contributed_projects
-    @contributed_projects = contributed_projects.joined(@user)
+    @contributed_projects = contributed_projects.joined(user)
   end
 
   def load_groups
-    @groups = JoinedGroupsFinder.new(@user).execute(current_user)
+    @groups = JoinedGroupsFinder.new(user).execute(current_user)
   end
 
   def projects_for_current_user

app/helpers/application_settings_helper.rb

@@ -19,6 +19,10 @@ module ApplicationSettingsHelper
     current_application_settings.help_text
   end
 
+  def shared_runners_text
+    current_application_settings.shared_runners_text
+  end
+
   def user_oauth_applications?
     current_application_settings.user_oauth_applications
   end

app/mailers/repository_check_mailer.rb

@@ -8,7 +8,7 @@ class RepositoryCheckMailer < BaseMailer
 
     mail(
       to: User.admins.pluck(:email),
-      subject: @message
+      subject: "GitLab Admin | #{@message}"
     )
   end
 end

app/models/ability.rb

@@ -19,6 +19,7 @@ class Ability
         when Namespace then namespace_abilities(user, subject)
         when GroupMember then group_member_abilities(user, subject)
         when ProjectMember then project_member_abilities(user, subject)
+        when User then user_abilities
         else []
         end.concat(global_abilities(user))
 
@@ -49,6 +50,8 @@ class Ability
         anonymous_project_abilities(subject)
       when subject.is_a?(Group) || subject.respond_to?(:group)
         anonymous_group_abilities(subject)
+      when subject.is_a?(User)
+        anonymous_user_abilities
       else
         []
       end
@@ -95,17 +98,17 @@ class Ability
     end
 
     def anonymous_group_abilities(subject)
+      rules = []
+
       group = if subject.is_a?(Group)
                 subject
               else
                 subject.group
               end
 
-      if group && group.public?
-        [:read_group]
-      else
-        []
-      end
+      rules << :read_group if group.public?
+
+      rules
     end
 
     def anonymous_personal_snippet_abilities(snippet)
@@ -124,9 +127,14 @@ class Ability
       end
     end
 
+    def anonymous_user_abilities
+      [:read_user] unless restricted_public_level?
+    end
+
     def global_abilities(user)
       rules = []
       rules << :create_group if user.can_create_group
+      rules << :read_users_list
       rules
     end
 
@@ -177,7 +185,7 @@ class Ability
       @public_project_rules ||= project_guest_rules + [
         :download_code,
         :fork_project,
-        :read_commit_status,
+        :read_commit_status
       ]
     end
 
@@ -302,7 +310,6 @@ class Ability
 
     def group_abilities(user, group)
       rules = []
-
       rules << :read_group if can_read_group?(user, group)
 
       # Only group masters and group owners can create new projects
@@ -478,6 +485,10 @@ class Ability
       rules
     end
 
+    def user_abilities
+      [:read_user]
+    end
+
     def abilities
       @abilities ||= begin
                        abilities = Six.new
@@ -492,6 +503,10 @@ class Ability
 
     private
 
+    def restricted_public_level?
+      current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+    end
+
     def named_abilities(name)
       [
         :"read_#{name}",

app/models/concerns/internal_id.rb

@@ -7,11 +7,13 @@ module InternalId
   end
 
   def set_iid
-    records = project.send(self.class.name.tableize)
-    records = records.with_deleted if self.paranoid?
-    max_iid = records.maximum(:iid)
+    if iid.blank?
+      records = project.send(self.class.name.tableize)
+      records = records.with_deleted if self.paranoid?
+      max_iid = records.maximum(:iid)
 
-    self.iid = max_iid.to_i + 1
+      self.iid = max_iid.to_i + 1
+    end
   end
 
   def to_param

app/models/hooks/project_hook.rb

@@ -27,8 +27,6 @@ class ProjectHook < WebHook
 
   belongs_to :project
 
-  scope :push_hooks, -> { where(push_events: true) }
-  scope :tag_push_hooks, -> { where(tag_push_events: true) }
   scope :issue_hooks, -> { where(issues_events: true) }
   scope :note_hooks, -> { where(note_events: true) }
   scope :merge_request_hooks, -> { where(merge_requests_events: true) }

app/models/hooks/system_hook.rb

@@ -21,4 +21,7 @@
 #
 
 class SystemHook < WebHook
+  def async_execute(data, hook_name)
+    Sidekiq::Client.enqueue(SystemHookWorker, id, data, hook_name)
+  end
 end

app/models/hooks/web_hook.rb

@@ -32,6 +32,9 @@ class WebHook < ActiveRecord::Base
   default_value_for :build_events, false
   default_value_for :enable_ssl_verification, true
 
+  scope :push_hooks, -> { where(push_events: true) }
+  scope :tag_push_hooks, -> { where(tag_push_events: true) }
+
   # HTTParty timeout
   default_timeout Gitlab.config.gitlab.webhook_timeout
 

app/models/project.rb

@@ -964,8 +964,8 @@ class Project < ActiveRecord::Base
     end
   end
 
-  def hook_attrs
-    {
+  def hook_attrs(backward: true)
+    attrs = {
       name: name,
       description: description,
       web_url: web_url,
@@ -976,12 +976,19 @@ class Project < ActiveRecord::Base
       visibility_level: visibility_level,
       path_with_namespace: path_with_namespace,
       default_branch: default_branch,
-      # Backward compatibility
-      homepage: web_url,
-      url: url_to_repo,
-      ssh_url: ssh_url_to_repo,
-      http_url: http_url_to_repo
     }
+
+    # Backward compatibility
+    if backward
+      attrs.merge!({
+                    homepage: web_url,
+                    url: url_to_repo,
+                    ssh_url: ssh_url_to_repo,
+                    http_url: http_url_to_repo
+                  })
+    end
+
+    attrs
   end
 
   # Reset events cache related to this project

app/services/git_push_service.rb

@@ -74,6 +74,7 @@ class GitPushService < BaseService
     mirror_update = @project.mirror? && @project.repository.up_to_date_with_upstream?(branch_name)
 
     EventCreateService.new.push(@project, current_user, build_push_data)
+    SystemHooksService.new.execute_hooks(build_push_data_system_hook.dup, :push_hooks)
     @project.execute_hooks(build_push_data.dup, :push_hooks)
     @project.execute_services(build_push_data.dup, :push_hooks)
 
@@ -152,6 +153,11 @@ class GitPushService < BaseService
       build(@project, current_user, params[:oldrev], params[:newrev], params[:ref], push_commits)
   end
 
+  def build_push_data_system_hook
+    @push_data_system ||= Gitlab::PushDataBuilder.
+      build(@project, current_user, params[:oldrev], params[:newrev], params[:ref], [])
+  end
+
   def push_to_existing_branch?
     # Return if this is not a push to a branch (e.g. new commits)
     Gitlab::Git.branch_ref?(params[:ref]) && !Gitlab::Git.blank_ref?(params[:oldrev])

app/services/git_tag_push_service.rb

-class GitTagPushService
-  attr_accessor :project, :user, :push_data
+class GitTagPushService < BaseService
+  attr_accessor :push_data
 
-  def execute(project, user, oldrev, newrev, ref, mirror_update: false)
+  def execute
     project.repository.before_push_tag
 
-    @project, @user = project, user
-    @push_data = build_push_data(oldrev, newrev, ref)
+    @push_data = build_push_data
 
-    EventCreateService.new.push(project, user, @push_data)
+    EventCreateService.new.push(project, current_user, @push_data)
+    SystemHooksService.new.execute_hooks(build_system_push_data.dup, :tag_push_hooks)
     project.execute_hooks(@push_data.dup, :tag_push_hooks)
     project.execute_services(@push_data.dup, :tag_push_hooks)
-    CreateCommitBuildsService.new.execute(project, @user, @push_data, mirror_update: mirror_update)
+    CreateCommitBuildsService.new.execute(
+      project,
+      current_user,
+      @push_data,
+      mirror_update: params[:mirror_update]
+    )
     ProjectCacheWorker.perform_async(project.id)
 
     true
@@ -18,14 +23,14 @@ class GitTagPushService
 
   private
 
-  def build_push_data(oldrev, newrev, ref)
+  def build_push_data
     commits = []
     message = nil
 
-    if !Gitlab::Git.blank_ref?(newrev)
-      tag_name = Gitlab::Git.ref_name(ref)
+    if !Gitlab::Git.blank_ref?(params[:newrev])
+      tag_name = Gitlab::Git.ref_name(params[:ref])
       tag = project.repository.find_tag(tag_name)
-      if tag && tag.target == newrev
+      if tag && tag.target == params[:newrev]
         commit = project.commit(tag.target)
         commits = [commit].compact
         message = tag.message
@@ -33,6 +38,11 @@ class GitTagPushService
     end
 
     Gitlab::PushDataBuilder.
-      build(project, user, oldrev, newrev, ref, commits, message)
+      build(project, current_user, params[:oldrev], params[:newrev], params[:ref], commits, message)
+  end
+
+  def build_system_push_data
+    Gitlab::PushDataBuilder.
+      build(project, current_user, params[:oldrev], params[:newrev], params[:ref], [], '')
   end
 end

app/services/projects/update_mirror_service.rb

@@ -75,7 +75,16 @@ module Projects
 
         next if old_tag_target == tag.target
 
-        GitTagPushService.new.execute(project, current_user, old_tag_target, tag.target, "#{Gitlab::Git::TAG_REF_PREFIX}#{tag.name}", mirror_update: true)
+        GitTagPushService.new(
+          project,
+          current_user,
+          {
+            oldrev: old_tag_target,
+            newrev: tag.target,
+            ref: "#{Gitlab::Git::TAG_REF_PREFIX}#{tag.name}",
+            mirror_update: true
+          }
+        ).execute
       end
 
       fetch_result

app/services/system_hooks_service.rb

@@ -3,17 +3,13 @@ class SystemHooksService
     execute_hooks(build_event_data(model, event))
   end
 
-  private
-
-  def execute_hooks(data)
-    SystemHook.all.each do |sh|
-      async_execute_hook(sh, data, 'system_hooks')
+  def execute_hooks(data, hooks_scope = :all)
+    SystemHook.send(hooks_scope).each do |hook|
+      hook.async_execute(data, 'system_hooks')
     end
   end
 
-  def async_execute_hook(hook, data, hook_name)
-    Sidekiq::Client.enqueue(SystemHookWorker, hook.id, data, hook_name)
-  end
+  private
 
   def build_event_data(model, event)
     data = {

app/views/admin/application_settings/_form.html.haml

@@ -26,7 +26,9 @@
         .btn-group{ data: data_attrs }
           - restricted_level_checkboxes('restricted-visibility-help').each do |level|
             = level
-        %span.help-block#restricted-visibility-help Selected levels cannot be used by non-admin users for projects or snippets
+        %span.help-block#restricted-visibility-help
+          Selected levels cannot be used by non-admin users for projects or snippets.
+          If the public level is restricted, user profiles are only visible to logged in users.
     .form-group
       = f.label :import_sources, class: 'control-label col-sm-2'
       .col-sm-10
@@ -166,7 +168,11 @@
           = f.label :shared_runners_enabled do
             = f.check_box :shared_runners_enabled
             Enable shared runners for new projects
-
+    .form-group
+      = f.label :shared_runners_text, class: 'control-label col-sm-2'
+      .col-sm-10
+        = f.text_area :shared_runners_text, class: 'form-control', rows: 4
+        .help-block Markdown enabled
     .form-group
       = f.label :max_artifacts_size, 'Maximum artifacts size (MB)', class: 'control-label col-sm-2'
       .col-sm-10

app/views/admin/hooks/index.html.haml

@@ -16,6 +16,27 @@
     = f.label :url, "URL:", class: 'control-label'
     .col-sm-10
       = f.text_field :url, class: "form-control"
+  .form-group
+    = f.label :url, "Trigger", class: 'control-label'
+    .col-sm-10.prepend-top-10
+      %div
+        System hook will be triggered on set of events like creating project
+        or adding ssh key. But you can also enable extra triggers like Push events.
+
+      %div.prepend-top-default
+        = f.check_box :push_events, class: 'pull-left'
+        .prepend-left-20
+          = f.label :push_events, class: 'list-label' do
+            %strong Push events
+          %p.light
+            This url will be triggered by a push to the repository
+      %div
+        = f.check_box :tag_push_events, class: 'pull-left'
+        .prepend-left-20
+          = f.label :tag_push_events, class: 'list-label' do
+            %strong Tag push events
+          %p.light
+            This url will be triggered when a new tag is pushed to the repository
   .form-group
     = f.label :enable_ssl_verification, "SSL verification", class: 'control-label checkbox'
     .col-sm-10
@@ -31,13 +52,16 @@
   .panel.panel-default
     .panel-heading
       System hooks (#{@hooks.count})
-    %ul.well-list
+    %ul.content-list
       - @hooks.each do |hook|
         %li
-          .list-item-name
-            %strong= hook.url
-            %p SSL Verification: #{hook.enable_ssl_verification ? "enabled" : "disabled"}
-
-          .pull-right
+          .controls
             = link_to 'Test Hook', admin_hook_test_path(hook), class: "btn btn-sm"
             = link_to 'Remove', admin_hook_path(hook), data: { confirm: 'Are you sure?' }, method: :delete, class: "btn btn-remove btn-sm"
+          .monospace= hook.url
+          %div
+            - %w(push_events tag_push_events issues_events note_events merge_requests_events build_events).each do |trigger|
+              - if hook.send(trigger)
+                %span.label.label-gray= trigger.titleize
+            %span.label.label-gray SSL Verification: #{hook.enable_ssl_verification ? "enabled" : "disabled"}
+

app/views/projects/merge_requests/_show.html.haml

@@ -31,7 +31,8 @@
         %span Request to merge
         %span.label-branch= source_branch_with_namespace(@merge_request)
         %span into
-        = link_to @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch), class: "label-branch"
+        %span.label-branch
+          = link_to @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch)
         - if @merge_request.open? && @merge_request.diverged_from_target_branch?
           %span (#{pluralize(@merge_request.diverged_commits_count, 'commit')} behind)
 

app/views/projects/runners/_shared_runners.html.haml

 %h3 Shared runners
 
-.bs-callout.bs-callout-warning
-  GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X.
+.bs-callout.bs-callout-warning.shared-runners-description
+  - if shared_runners_text.present?
+    = markdown(shared_runners_text, pipeline: 'plain_markdown')
+  - else
+    GitLab Runners do not offer secure isolation between projects that they do builds for. You are TRUSTING all GitLab users who can push code to project A, B or C to run shell scripts on the machine hosting runner X.
   %hr
   - if @project.shared_runners_enabled?
     = link_to toggle_shared_runners_namespace_project_runners_path(@project.namespace, @project), class: 'btn btn-warning', method: :post do

app/views/repository_check_mailer/notify.html.haml

@@ -3,3 +3,6 @@
 
 %p
   = link_to "See the affected projects in the GitLab admin panel", admin_namespaces_projects_url(last_repository_check_failed: 1)
+
+%p
+  You are receiving this message because you are a GitLab administrator for #{Gitlab.config.gitlab.url}.

app/views/repository_check_mailer/notify.text.haml

 #{@message}.
 \
 View details: #{admin_namespaces_projects_url(last_repository_check_failed: 1)}
+
+You are receiving this message because you are a GitLab administrator
+for #{Gitlab.config.gitlab.url}.

app/views/shared/web_hooks/_form.html.haml

@@ -77,18 +77,16 @@
   .panel.panel-default
     .panel-heading
       Webhooks (#{hooks.count})
-    %ul.well-list
-      - hook_types = %w(push_events tag_push_events note_events issues_events merge_requests_events build_events)
-
+    %ul.content-list
       - hooks.each do |hook|
         %li
-          .pull-right
+          .controls
             = link_to 'Test Hook', polymorphic_path(url_components + [hook], action: :test), class: "btn btn-sm btn-grouped"
             = link_to 'Remove', polymorphic_path(url_components + [hook]), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-remove btn-sm btn-grouped"
-          .clearfix
-            %span.monospace= hook.url
           %p
-            - hook_types.each do |hook_type|
+          .monospace= hook.url
+          %div
+            - %w(push_events tag_push_events issues_events note_events merge_requests_events build_events).each do |hook_type|
               - if hook.send(hook_type)
                 %span.label.label-gray= hook_type.titleize
-            SSL Verification: #{hook.enable_ssl_verification ? "enabled" : "disabled"}
+            %span.label.label-gray SSL Verification: #{hook.enable_ssl_verification ? "enabled" : "disabled"}

app/workers/post_receive.rb

@@ -45,7 +45,7 @@ class PostReceive
       end
 
       if Gitlab::Git.tag_ref?(ref)
-        GitTagPushService.new.execute(post_received.project, @user, oldrev, newrev, ref)
+        GitTagPushService.new(post_received.project, @user, oldrev: oldrev, newrev: newrev, ref: ref).execute
       elsif Gitlab::Git.branch_ref?(ref)
         GitPushService.new(post_received.project, @user, oldrev: oldrev, newrev: newrev, ref: ref).execute
       end

app/workers/repository_check/single_repository_worker.rb

@@ -15,10 +15,10 @@ module RepositoryCheck
     private
   
     def check(project)
+      repositories = [project.repository]
+      repositories << project.wiki.repository if project.wiki_enabled?
       # Use 'map do', not 'all? do', to prevent short-circuiting
-      [project.repository, project.wiki.repository].map do |repository|
-        git_fsck(repository.path_to_repo)
-      end.all?
+      repositories.map { |repository| git_fsck(repository.path_to_repo) }.all?
     end
   
     def git_fsck(path)

db/migrate/20140502125220_migrate_repo_size.rb

 class MigrateRepoSize < ActiveRecord::Migration
   def up
-    Project.reset_column_information
-    Project.find_each(batch_size: 500) do |project|
+    project_data = execute('SELECT projects.id, namespaces.path AS namespace_path, projects.path AS project_path FROM projects LEFT JOIN namespaces ON projects.namespace_id = namespaces.id')
+
+    project_data.each do |project|
+      id = project['id']
+      namespace_path = project['namespace_path'] || ''
+      path = File.join(Gitlab.config.gitlab_shell.repos_path, namespace_path, project['project_path'] + '.git')
+
       begin
-        if project.empty_repo?
+        repo = Gitlab::Git::Repository.new(path)
+        if repo.empty?
           print '-'
         else
-          project.update_repository_size
+          size = repo.size
           print '.'
+          execute("UPDATE projects SET repository_size = #{size} WHERE id = #{id}")
         end
-      rescue
-        print 'F'
+      rescue => e
+        puts "\nFailed to update project #{id}: #{e}"
       end
     end
-    puts 'Done'
+    puts "\nDone"
   end
 
   def down

db/migrate/20160415133440_add_shared_runners_text_to_application_settings.rb

+class AddSharedRunnersTextToApplicationSettings < ActiveRecord::Migration
+  def change
+    add_column :application_settings, :shared_runners_text, :text
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160414064845) do
+ActiveRecord::Schema.define(version: 20160415133440) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -81,6 +81,7 @@ ActiveRecord::Schema.define(version: 20160414064845) do
     t.boolean  "email_author_in_body",              default: false
     t.integer  "default_group_visibility"
     t.boolean  "repository_checks_enabled",         default: true
+    t.text     "shared_runners_text"
   end
 
   create_table "approvals", force: :cascade do |t|

doc/ci/runners/README.md

@@ -7,6 +7,10 @@ through the coordinator API of GitLab CI.
 A runner can be specific to a certain project or serve any project
 in GitLab CI. A runner that serves all projects is called a shared runner.
 
+Ideally, GitLab Runner should not be installed on the same machine as GitLab.
+Read the [requirements documentation](../../install/requirements.md#gitlab-runner)
+for more information.
+
 ## Shared vs. Specific Runners
 
 A runner that is specific only runs for the specified project. A shared runner
@@ -140,7 +144,7 @@ to it. This means that if you have shared runners setup for a project and
 someone forks that project, the shared runners will also serve jobs of this
 project.
 
-# Attack vectors in runners
+## Attack vectors in Runners
 
 Mentioned briefly earlier, but the following things of runners can be exploited.
 We're always looking for contributions that can mitigate these [Security Considerations](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/security/index.md).

doc/ci/yaml/README.md

@@ -15,6 +15,7 @@ If you want a quick introduction to GitLab CI, follow our
 - [.gitlab-ci.yml](#gitlab-ci-yml)
     - [image and services](#image-and-services)
     - [before_script](#before_script)
+    - [after_script](#after_script)
     - [stages](#stages)
     - [types](#types)
     - [variables](#variables)
@@ -30,6 +31,7 @@ If you want a quick introduction to GitLab CI, follow our
     - [artifacts](#artifacts)
         - [artifacts:name](#artifacts-name)
     - [dependencies](#dependencies)
+    - [before_script and after_script](#before_script-and-after_script)
 - [Hidden jobs](#hidden-jobs)
 - [Special YAML features](#special-yaml-features)
     - [Anchors](#anchors)
@@ -81,6 +83,9 @@ services:
 before_script:
   - bundle install
 
+after_script:
+  - rm secrets
+
 stages:
   - build
   - test
@@ -105,6 +110,7 @@ There are a few reserved `keywords` that **cannot** be used as job names:
 | stages        | no | Define build stages |
 | types         | no | Alias for `stages` |
 | before_script | no | Define commands that run before each job's script |
+| after_script  | no | Define commands that run after each job's script |
 | variables     | no | Define build variables |
 | cache         | no | Define list of files that should be cached between subsequent runs |
 
@@ -119,6 +125,14 @@ used for time of the build. The configuration of this feature is covered in
 `before_script` is used to define the command that should be run before all
 builds, including deploy builds. This can be an array or a multi-line string.
 
+### after_script
+
+>**Note:**
+Introduced in GitLab 8.7 and GitLab Runner v1.2.
+
+`after_script` is used to define the command that will be run after for all
+builds. This has to be an array or a multi-line string.
+
 ### stages
 
 `stages` is used to define build stages that can be used by jobs.
@@ -336,6 +350,8 @@ job_name:
 | dependencies  | no | Define other builds that a build depends on so that you can pass artifacts between them|
 | artifacts     | no | Define list build artifacts |
 | cache         | no | Define list of files that should be cached between subsequent runs |
+| before_script | no | Override a set of commands that are executed before build |
+| after_script  | no | Override a set of commands that are executed after build |
 
 ### script
 
@@ -692,6 +708,23 @@ deploy:
   script: make deploy
 ```
 
+### before_script and after_script
+
+It's possible to overwrite globally defined `before_script` and `after_script`:
+
+```yaml
+before_script
+- global before script
+
+job:
+  before_script:
+  - execute this instead of global before script
+  script:
+  - my command
+  after_script:
+  - execute this after my script
+```
+
 ## Hidden jobs
 
 >**Note:**

doc/install/requirements.md

@@ -79,6 +79,26 @@ With less memory GitLab will give strange errors during the reconfigure run and
 
 Notice: The 25 workers of Sidekiq will show up as separate processes in your process overview (such as top or htop) but they share the same RAM allocation since Sidekiq is a multithreaded application. Please see the section below about Unicorn workers for information about many you need of those.
 
+## Gitlab Runner
+
+We strongly advise against installing GitLab Runner on the same machine you plan
+to install GitLab on. Depending on how you decide to configure GitLab Runner and
+what tools you use to exercise your application in the CI environment, GitLab
+Runner can consume significant amount of available memory.
+
+Memory consumption calculations, that are available above, will not be valid if
+you decide to run GitLab Runner and the GitLab Rails application on the same
+machine.
+
+It is also not safe to install everything on a single machine, because of the
+[security reasons] - especially when you plan to use shell executor with GitLab
+Runner.
+
+We recommend using a separate machine for each GitLab Runner, if you plan to
+use the CI features.
+
+[security reasons]: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/security/index.md
+
 ## Unicorn Workers
 
 It's possible to increase the amount of unicorn workers and this will usually help for to reduce the response time of the applications and increase the ability to handle parallel requests.

doc/public_access/public_access.md

@@ -58,6 +58,9 @@ you are logged in or not.
 When visiting the public page of a user, you can only see the projects which
 you are privileged to.
 
+If the public level is restricted, user profiles are only visible to logged in users.
+
+
 ## Restricting the use of public or internal projects
 
 In the Admin area under **Settings** (`/admin/application_settings`), you can

doc/system_hooks/system_hooks.md

@@ -4,6 +4,12 @@ Your GitLab instance can perform HTTP POST requests on the following events: `pr
 
 System hooks can be used, e.g. for logging or changing information in a LDAP server.
 
+> **Note:**
+>
+> We follow the same structure from Webhooks for Push and Tag events, but we never display commits.
+>
+> Same deprecations from Webhooks are valid here.
+
 ## Hooks request example
 
 **Request header**:
@@ -240,3 +246,110 @@ X-Gitlab-Event: System Hook
        "user_id": 41
 }
 ```
+
+## Push events
+
+Triggered when you push to the repository except when pushing tags.
+
+**Request header**:
+
+```
+X-Gitlab-Event: System Hook
+```
+
+**Request body:**
+
+```json
+{
+  "event_name": "push",
+  "before": "95790bf891e76fee5e1747ab589903a6a1f80f22",
+  "after": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
+  "ref": "refs/heads/master",
+  "checkout_sha": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
+  "user_id": 4,
+  "user_name": "John Smith",
+  "user_email": "john@example.com",
+  "user_avatar": "https://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=8://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=80",
+  "project_id": 15,
+  "project":{
+    "name":"Diaspora",
+    "description":"",
+    "web_url":"http://example.com/mike/diaspora",
+    "avatar_url":null,
+    "git_ssh_url":"git@example.com:mike/diaspora.git",
+    "git_http_url":"http://example.com/mike/diaspora.git",
+    "namespace":"Mike",
+    "visibility_level":0,
+    "path_with_namespace":"mike/diaspora",
+    "default_branch":"master",
+    "homepage":"http://example.com/mike/diaspora",
+    "url":"git@example.com:mike/diaspora.git",
+    "ssh_url":"git@example.com:mike/diaspora.git",
+    "http_url":"http://example.com/mike/diaspora.git"
+  },
+  "repository":{
+    "name": "Diaspora",
+    "url": "git@example.com:mike/diaspora.git",
+    "description": "",
+    "homepage": "http://example.com/mike/diaspora",
+    "git_http_url":"http://example.com/mike/diaspora.git",
+    "git_ssh_url":"git@example.com:mike/diaspora.git",
+    "visibility_level":0
+  },
+  "commits": [],
+  "total_commits_count": 0
+}
+```
+
+## Tag events
+
+Triggered when you create (or delete) tags to the repository.
+
+**Request header**:
+
+```
+X-Gitlab-Event: System Hook
+```
+
+**Request body:**
+
+```json
+{
+  "event_name": "tag_push",
+  "before": "0000000000000000000000000000000000000000",
+  "after": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
+  "ref": "refs/tags/v1.0.0",
+  "checkout_sha": "5937ac0a7beb003549fc5fd26fc247adbce4a52e",
+  "user_id": 1,
+  "user_name": "John Smith",
+  "user_avatar": "https://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=8://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=80",
+  "project_id": 1,
+  "project":{
+    "name":"Example",
+    "description":"",
+    "web_url":"http://example.com/jsmith/example",
+    "avatar_url":null,
+    "git_ssh_url":"git@example.com:jsmith/example.git",
+    "git_http_url":"http://example.com/jsmith/example.git",
+    "namespace":"Jsmith",
+    "visibility_level":0,
+    "path_with_namespace":"jsmith/example",
+    "default_branch":"master",
+    "homepage":"http://example.com/jsmith/example",
+    "url":"git@example.com:jsmith/example.git",
+    "ssh_url":"git@example.com:jsmith/example.git",
+    "http_url":"http://example.com/jsmith/example.git"
+  },
+  "repository":{
+    "name": "Example",
+    "url": "ssh://git@example.com/jsmith/example.git",
+    "description": "",
+    "homepage": "http://example.com/jsmith/example",
+    "git_http_url":"http://example.com/jsmith/example.git",
+    "git_ssh_url":"git@example.com:jsmith/example.git",
+    "visibility_level":0
+  },
+  "commits": [],
+  "total_commits_count": 0
+}
+```

doc/web_hooks/web_hooks.md

@@ -44,6 +44,7 @@ X-Gitlab-Event: Push Hook
   "before": "95790bf891e76fee5e1747ab589903a6a1f80f22",
   "after": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
   "ref": "refs/heads/master",
+  "checkout_sha": "da1560886d4f094c3e6c9ef40349f7d38b5d27d7",
   "user_id": 4,
   "user_name": "John Smith",
   "user_email": "john@example.com",
@@ -121,9 +122,10 @@ X-Gitlab-Event: Tag Push Hook
 ```json
 {
   "object_kind": "tag_push",
-  "ref": "refs/tags/v1.0.0",
   "before": "0000000000000000000000000000000000000000",
   "after": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
+  "ref": "refs/tags/v1.0.0",
+  "checkout_sha": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
   "user_id": 1,
   "user_name": "John Smith",
   "user_avatar": "https://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=8://s.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=80",

lib/api/internal.rb

@@ -23,6 +23,8 @@ module API
       end
 
       post "/allowed" do
+        Gitlab::Metrics.tag_transaction('action', 'Grape#/internal/allowed')
+
         status 200
 
         actor =

lib/api/users.rb

@@ -11,6 +11,10 @@ module API
       #  GET /users?search=Admin
       #  GET /users?username=root
       get do
+        unless can?(current_user, :read_users_list, nil)
+          render_api_error!("Not authorized.", 403)
+        end
+
         if params[:username].present?
           @users = User.where(username: params[:username])
         else
@@ -38,10 +42,12 @@ module API
       get ":id" do
         @user = User.find(params[:id])
 
-        if current_user.is_admin?
+        if current_user && current_user.is_admin?
           present @user, with: Entities::UserFull
-        else
+        elsif can?(current_user, :read_user, @user)
           present @user, with: Entities::User
+        else
+          render_api_error!("User not found.", 404)
         end
       end
 

lib/ci/gitlab_ci_yaml_processor.rb

@@ -4,12 +4,12 @@ module Ci
 
     DEFAULT_STAGES = %w(build test deploy)
     DEFAULT_STAGE = 'test'
-    ALLOWED_YAML_KEYS = [:before_script, :image, :services, :types, :stages, :variables, :cache]
+    ALLOWED_YAML_KEYS = [:before_script, :after_script, :image, :services, :types, :stages, :variables, :cache]
     ALLOWED_JOB_KEYS = [:tags, :script, :only, :except, :type, :image, :services,
                         :allow_failure, :type, :stage, :when, :artifacts, :cache,
-                        :dependencies, :variables]
+                        :dependencies, :before_script, :after_script, :variables]
 
-    attr_reader :before_script, :image, :services, :path, :cache
+    attr_reader :before_script, :after_script, :image, :services, :path, :cache
 
     def initialize(config, path = nil)
       @config = YAML.safe_load(config, [Symbol], [], true)
@@ -55,6 +55,7 @@ module Ci
 
     def initial_parsing
       @before_script = @config[:before_script] || []
+      @after_script = @config[:after_script]
       @image = @config[:image]
       @services = @config[:services]
       @stages = @config[:stages] || @config[:types]
@@ -83,7 +84,7 @@ module Ci
       {
         stage_idx: stages.index(job[:stage]),
         stage: job[:stage],
-        commands: "#{@before_script.join("\n")}\n#{normalize_script(job[:script])}",
+        commands: [job[:before_script] || @before_script, job[:script]].flatten.join("\n"),
         tag_list: job[:tags] || [],
         name: name,
         only: job[:only],
@@ -96,23 +97,32 @@ module Ci
           artifacts: job[:artifacts],
           cache: job[:cache] || @cache,
           dependencies: job[:dependencies],
+          after_script: job[:after_script] || @after_script,
         }.compact
       }
     end
 
-    def normalize_script(script)
-      if script.is_a? Array
-        script.join("\n")
-      else
-        script
+    def validate!
+      validate_global!
+
+      @jobs.each do |name, job|
+        validate_job!(name, job)
       end
+
+      true
     end
 
-    def validate!
+    private
+
+    def validate_global!
       unless validate_array_of_strings(@before_script)
         raise ValidationError, "before_script should be an array of strings"
       end
 
+      unless @after_script.nil? || validate_array_of_strings(@after_script)
+        raise ValidationError, "after_script should be an array of strings"
+      end
+
       unless @image.nil? || @image.is_a?(String)
         raise ValidationError, "image should be a string"
       end
@@ -129,31 +139,28 @@ module Ci
         raise ValidationError, "variables should be a map of key-value strings"
       end
 
-      if @cache
-        if @cache[:key] && !validate_string(@cache[:key])
-          raise ValidationError, "cache:key parameter should be a string"
-        end
-
-        if @cache[:untracked] && !validate_boolean(@cache[:untracked])
-          raise ValidationError, "cache:untracked parameter should be an boolean"
-        end
+      validate_global_cache! if @cache
+    end
 
-        if @cache[:paths] && !validate_array_of_strings(@cache[:paths])
-          raise ValidationError, "cache:paths parameter should be an array of strings"
-        end
+    def validate_global_cache!
+      if @cache[:key] && !validate_string(@cache[:key])
+        raise ValidationError, "cache:key parameter should be a string"
       end
 
-      @jobs.each do |name, job|
-        validate_job!(name, job)
+      if @cache[:untracked] && !validate_boolean(@cache[:untracked])
+        raise ValidationError, "cache:untracked parameter should be an boolean"
       end
 
-      true
+      if @cache[:paths] && !validate_array_of_strings(@cache[:paths])
+        raise ValidationError, "cache:paths parameter should be an array of strings"
+      end
     end
 
     def validate_job!(name, job)
       validate_job_name!(name)
       validate_job_keys!(name, job)
       validate_job_types!(name, job)
+      validate_job_script!(name, job)
 
       validate_job_stage!(name, job) if job[:stage]
       validate_job_variables!(name, job) if job[:variables]
@@ -162,8 +169,6 @@ module Ci
       validate_job_dependencies!(name, job) if job[:dependencies]
     end
 
-    private
-
     def validate_job_name!(name)
       if name.blank? || !validate_string(name)
         raise ValidationError, "job name should be non-empty string"
@@ -179,10 +184,6 @@ module Ci
     end
 
     def validate_job_types!(name, job)
-      if !validate_string(job[:script]) && !validate_array_of_strings(job[:script])
-        raise ValidationError, "#{name} job: script should be a string or an array of a strings"
-      end
-
       if job[:image] && !validate_string(job[:image])
         raise ValidationError, "#{name} job: image should be a string"
       end
@@ -212,6 +213,20 @@ module Ci
       end
     end
 
+    def validate_job_script!(name, job)
+      if !validate_string(job[:script]) && !validate_array_of_strings(job[:script])
+        raise ValidationError, "#{name} job: script should be a string or an array of a strings"
+      end
+
+      if job[:before_script] && !validate_array_of_strings(job[:before_script])
+        raise ValidationError, "#{name} job: before_script should be an array of strings"
+      end
+
+      if job[:after_script] && !validate_array_of_strings(job[:after_script])
+        raise ValidationError, "#{name} job: after_script should be an array of strings"
+      end
+    end
+
     def validate_job_stage!(name, job)
       unless job[:stage].is_a?(String) && job[:stage].in?(stages)
         raise ValidationError, "#{name} job: stage parameter should be #{stages.join(", ")}"

lib/gitlab/github_import/importer.rb

@@ -16,7 +16,8 @@ module Gitlab
       end
 
       def execute
-        import_issues && import_pull_requests && import_wiki
+        import_labels && import_milestones && import_issues &&
+          import_pull_requests && import_wiki
       end
 
       private
@@ -25,6 +26,26 @@ module Gitlab
         @import_data_credentials ||= project.import_data.credentials if project.import_data
       end
 
+      def import_labels
+        client.labels(project.import_source).each do |raw_data|
+          Label.create!(LabelFormatter.new(project, raw_data).attributes)
+        end
+
+        true
+      rescue ActiveRecord::RecordInvalid => e
+        raise Projects::ImportService::Error, e.message
+      end
+
+      def import_milestones
+        client.list_milestones(project.import_source, state: :all).each do |raw_data|
+          Milestone.create!(MilestoneFormatter.new(project, raw_data).attributes)
+        end
+
+        true
+      rescue ActiveRecord::RecordInvalid => e
+        raise Projects::ImportService::Error, e.message
+      end
+
       def import_issues
         client.list_issues(project.import_source, state: :all,
                                                   sort: :created,
@@ -33,6 +54,7 @@ module Gitlab
 
           if gh_issue.valid?
             issue = Issue.create!(gh_issue.attributes)
+            apply_labels(gh_issue.number, issue)
 
             if gh_issue.has_comments?
               import_comments(gh_issue.number, issue)
@@ -55,6 +77,7 @@ module Gitlab
             merge_request = MergeRequest.new(pull_request.attributes)
 
             if merge_request.save
+              apply_labels(pull_request.number, merge_request)
               import_comments(pull_request.number, merge_request)
               import_comments_on_diff(pull_request.number, merge_request)
             end
@@ -66,6 +89,18 @@ module Gitlab
         raise Projects::ImportService::Error, e.message
       end
 
+      def apply_labels(number, issuable)
+        issue = client.issue(project.import_source, number)
+
+        if issue.labels.count > 0
+          label_ids = issue.labels.map do |raw|
+            Label.find_by(LabelFormatter.new(project, raw).attributes).try(:id)
+          end
+
+          issuable.update_attribute(:label_ids, label_ids)
+        end
+      end
+
       def import_comments(issue_number, noteable)
         comments = client.issue_comments(project.import_source, issue_number)
         create_comments(comments, noteable)

lib/gitlab/github_import/issue_formatter.rb

@@ -3,7 +3,9 @@ module Gitlab
     class IssueFormatter < BaseFormatter
       def attributes
         {
+          iid: number,
           project: project,
+          milestone: milestone,
           title: raw_data.title,
           description: description,
           state: state,
@@ -54,6 +56,12 @@ module Gitlab
         @formatter.author_line(author) + body
       end
 
+      def milestone
+        if raw_data.milestone.present?
+          project.milestones.find_by(iid: raw_data.milestone.number)
+        end
+      end
+
       def state
         raw_data.state == 'closed' ? 'closed' : 'opened'
       end

lib/gitlab/github_import/label_formatter.rb

+module Gitlab
+  module GithubImport
+    class LabelFormatter < BaseFormatter
+      def attributes
+        {
+          project: project,
+          title: title,
+          color: color
+        }
+      end
+
+      private
+
+      def color
+        "##{raw_data.color}"
+      end
+
+      def title
+        raw_data.name
+      end
+    end
+  end
+end

lib/gitlab/github_import/milestone_formatter.rb

+module Gitlab
+  module GithubImport
+    class MilestoneFormatter < BaseFormatter
+      def attributes
+        {
+          iid: number,
+          project: project,
+          title: title,
+          description: description,
+          due_date: due_date,
+          state: state,
+          created_at: created_at,
+          updated_at: updated_at
+        }
+      end
+
+      private
+
+      def number
+        raw_data.number
+      end
+
+      def title
+        raw_data.title
+      end
+
+      def description
+        raw_data.description
+      end
+
+      def due_date
+        raw_data.due_on
+      end
+
+      def state
+        raw_data.state == 'closed' ? 'closed' : 'active'
+      end
+
+      def created_at
+        raw_data.created_at
+      end
+
+      def updated_at
+        state == 'closed' ? raw_data.closed_at : raw_data.updated_at
+      end
+    end
+  end
+end

lib/gitlab/github_import/pull_request_formatter.rb

@@ -3,6 +3,7 @@ module Gitlab
     class PullRequestFormatter < BaseFormatter
       def attributes
         {
+          iid: number,
           title: raw_data.title,
           description: description,
           source_project: source_project,
@@ -10,6 +11,7 @@ module Gitlab
           target_project: target_project,
           target_branch: target_branch.name,
           state: state,
+          milestone: milestone,
           author_id: author_id,
           assignee_id: assignee_id,
           created_at: raw_data.created_at,
@@ -57,6 +59,12 @@ module Gitlab
         formatter.author_line(author) + body
       end
 
+      def milestone
+        if raw_data.milestone.present?
+          project.milestones.find_by(iid: raw_data.milestone.number)
+        end
+      end
+
       def source_project
         project
       end

lib/gitlab/push_data_builder.rb

@@ -36,11 +36,12 @@ module Gitlab
           commit.hook_attrs(with_changed_files: true)
         end
 
-        type = Gitlab::Git.tag_ref?(ref) ? "tag_push" : "push"
+        type = Gitlab::Git.tag_ref?(ref) ? 'tag_push' : 'push'
 
         # Hash to be passed as post_receive_data
         data = {
           object_kind: type,
+          event_name: type,
           before: oldrev,
           after: newrev,
           ref: ref,

scripts/prepare_build.sh

@@ -11,7 +11,7 @@ retry() {
     return 1
 }
 
-if [ -f /.dockerinit ]; then
+if [ -f /.dockerenv ] || [ -f ./dockerinit ]; then
     mkdir -p vendor
 
     # Install phantomjs package

spec/controllers/groups/group_members_controller_spec.rb

+require 'spec_helper'
+
+describe Groups::GroupMembersController do
+  let(:user)  { create(:user) }
+  let(:group) { create(:group) }
+
+  context "index" do
+    before do
+      group.add_owner(user)
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+    end
+
+    it 'renders index with group members' do
+      get :index, group_id: group.path
+
+      expect(response.status).to eq(200)
+      expect(response).to render_template(:index)
+    end
+  end
+end

spec/controllers/projects/group_links_controller_spec.rb

+require 'spec_helper'
+
+describe Projects::GroupLinksController do
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:user) { create(:user) }
+
+  before do
+    project.team << [user, :master]
+    sign_in(user)
+  end
+
+  describe '#create' do
+    shared_context 'link project to group' do
+      before do
+        post(:create, namespace_id: project.namespace.to_param,
+                      project_id: project.to_param,
+                      link_group_id: group.id,
+                      link_group_access: ProjectGroupLink.default_access)
+      end
+    end
+
+    context 'when user has access to group he want to link project to' do
+      before { group.add_developer(user) }
+      include_context 'link project to group'
+
+      it 'links project with selected group' do
+        expect(group.shared_projects).to include project
+      end
+
+      it 'redirects to project group links page'do
+        expect(response).to redirect_to(
+          namespace_project_group_links_path(project.namespace, project)
+        )
+      end
+    end
+
+    context 'when user doers not have access to group he want to link to' do
+      include_context 'link project to group'
+
+      it 'renders 404' do
+        expect(response.status).to eq 404
+      end
+
+      it 'does not share project with that group' do
+        expect(group.shared_projects).to_not include project
+      end
+    end
+  end
+end

spec/controllers/users_controller_spec.rb

@@ -33,7 +33,30 @@ describe UsersController do
         it 'renders the show template' do
           get :show, username: user.username
 
-          expect(response).to be_success
+          expect(response.status).to eq(200)
+          expect(response).to render_template('show')
+        end
+      end
+    end
+
+    context 'when public visibility level is restricted' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      context 'when logged out' do
+        it 'renders 404' do
+          get :show, username: user.username
+          expect(response.status).to eq(404)
+        end
+      end
+
+      context 'when logged in' do
+        before { sign_in(user) }
+
+        it 'renders show' do
+          get :show, username: user.username
+          expect(response.status).to eq(200)
           expect(response).to render_template('show')
         end
       end

spec/features/runners_spec.rb

@@ -80,6 +80,22 @@ describe "Runners" do
     end
   end
 
+  describe "shared runners description" do
+    let(:shared_runners_text) { 'custom **shared** runners description' }
+    let(:shared_runners_html) { 'custom shared runners description' }
+
+    before do
+      stub_application_setting(shared_runners_text: shared_runners_text)
+      project = FactoryGirl.create :empty_project, shared_runners_enabled: false
+      project.team << [user, :master]
+      visit runners_path(project)
+    end
+
+    it "sees shared runners description" do
+      expect(page.find(".shared-runners-description")).to have_content(shared_runners_html)
+    end
+  end
+
   describe "show page" do
     before do
       @project = FactoryGirl.create :empty_project

spec/lib/ci/gitlab_ci_yaml_processor_spec.rb

@@ -286,6 +286,81 @@ module Ci
       end
 
     end
+    
+    describe "Scripts handling" do
+      let(:config_data) { YAML.dump(config) }
+      let(:config_processor) { GitlabCiYamlProcessor.new(config_data, path) }
+      
+      subject { config_processor.builds_for_stage_and_ref("test", "master").first }
+      
+      describe "before_script" do
+        context "in global context" do
+          let(:config) do
+            {
+              before_script: ["global script"],
+              test: { script: ["script"] }
+            }
+          end
+          
+          it "return commands with scripts concencaced" do
+            expect(subject[:commands]).to eq("global script\nscript")
+          end
+        end
+ 
+        context "overwritten in local context" do
+          let(:config) do
+            {
+              before_script: ["global script"],
+              test: { before_script: ["local script"], script: ["script"] }
+            }
+          end
+
+          it "return commands with scripts concencaced" do
+            expect(subject[:commands]).to eq("local script\nscript")
+          end
+        end
+      end
+
+      describe "script" do
+        let(:config) do
+          {
+            test: { script: ["script"] }
+          }
+        end
+
+        it "return commands with scripts concencaced" do
+          expect(subject[:commands]).to eq("script")
+        end
+      end
+
+      describe "after_script" do
+        context "in global context" do
+          let(:config) do
+            {
+              after_script: ["after_script"],
+              test: { script: ["script"] }
+            }
+          end
+
+          it "return after_script in options" do
+            expect(subject[:options][:after_script]).to eq(["after_script"])
+          end
+        end
+
+        context "overwritten in local context" do
+          let(:config) do
+            {
+              after_script: ["local after_script"],
+              test: { after_script: ["local after_script"], script: ["script"] }
+            }
+          end
+
+          it "return after_script in options" do
+            expect(subject[:options][:after_script]).to eq(["local after_script"])
+          end
+        end
+      end
+    end
 
     describe "Image and service handling" do
       it "returns image and service when defined" do
@@ -592,7 +667,7 @@ module Ci
           stage_idx: 1,
           name: :normal_job,
           only: nil,
-          commands: "\ntest",
+          commands: "test",
           tag_list: [],
           options: {},
           when: "on_success",
@@ -619,7 +694,7 @@ EOT
           stage_idx: 1,
           name: :job1,
           only: nil,
-          commands: "\nexecute-script-for-job",
+          commands: "execute-script-for-job",
           tag_list: [],
           options: {},
           when: "on_success",
@@ -631,7 +706,7 @@ EOT
           stage_idx: 1,
           name: :job2,
           only: nil,
-          commands: "\nexecute-script-for-job",
+          commands: "execute-script-for-job",
           tag_list: [],
           options: {},
           when: "on_success",
@@ -663,6 +738,27 @@ EOT
         end.to raise_error(GitlabCiYamlProcessor::ValidationError, "before_script should be an array of strings")
       end
 
+      it "returns errors if job before_script parameter is not an array of strings" do
+        config = YAML.dump({ rspec: { script: "test", before_script: [10, "test"] } })
+        expect do
+          GitlabCiYamlProcessor.new(config, path)
+        end.to raise_error(GitlabCiYamlProcessor::ValidationError, "rspec job: before_script should be an array of strings")
+      end
+
+      it "returns errors if after_script parameter is invalid" do
+        config = YAML.dump({ after_script: "bundle update", rspec: { script: "test" } })
+        expect do
+          GitlabCiYamlProcessor.new(config, path)
+        end.to raise_error(GitlabCiYamlProcessor::ValidationError, "after_script should be an array of strings")
+      end
+
+      it "returns errors if job after_script parameter is not an array of strings" do
+        config = YAML.dump({ rspec: { script: "test", after_script: [10, "test"] } })
+        expect do
+          GitlabCiYamlProcessor.new(config, path)
+        end.to raise_error(GitlabCiYamlProcessor::ValidationError, "rspec job: after_script should be an array of strings")
+      end
+
       it "returns errors if image parameter is invalid" do
         config = YAML.dump({ image: ["test"], rspec: { script: "test" } })
         expect do

spec/lib/gitlab/github_import/issue_formatter_spec.rb

@@ -2,13 +2,14 @@ require 'spec_helper'
 
 describe Gitlab::GithubImport::IssueFormatter, lib: true do
   let!(:project) { create(:project, namespace: create(:namespace, path: 'octocat')) }
-  let(:octocat) { OpenStruct.new(id: 123456, login: 'octocat') }
+  let(:octocat) { double(id: 123456, login: 'octocat') }
   let(:created_at) { DateTime.strptime('2011-01-26T19:01:12Z') }
   let(:updated_at) { DateTime.strptime('2011-01-27T19:01:12Z') }
 
   let(:base_data) do
     {
       number: 1347,
+      milestone: nil,
       state: 'open',
       title: 'Found a bug',
       body: "I'm having a problem with this.",
@@ -26,11 +27,13 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
 
   describe '#attributes' do
     context 'when issue is open' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(state: 'open')) }
+      let(:raw_data) { double(base_data.merge(state: 'open')) }
 
       it 'returns formatted attributes' do
         expected = {
+          iid: 1347,
           project: project,
+          milestone: nil,
           title: 'Found a bug',
           description: "*Created by: octocat*\n\nI'm having a problem with this.",
           state: 'opened',
@@ -46,11 +49,13 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
 
     context 'when issue is closed' do
       let(:closed_at) { DateTime.strptime('2011-01-28T19:01:12Z') }
-      let(:raw_data) { OpenStruct.new(base_data.merge(state: 'closed', closed_at: closed_at)) }
+      let(:raw_data) { double(base_data.merge(state: 'closed', closed_at: closed_at)) }
 
       it 'returns formatted attributes' do
         expected = {
+          iid: 1347,
           project: project,
+          milestone: nil,
           title: 'Found a bug',
           description: "*Created by: octocat*\n\nI'm having a problem with this.",
           state: 'closed',
@@ -65,7 +70,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
     end
 
     context 'when it is assigned to someone' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(assignee: octocat)) }
+      let(:raw_data) { double(base_data.merge(assignee: octocat)) }
 
       it 'returns nil as assignee_id when is not a GitLab user' do
         expect(issue.attributes.fetch(:assignee_id)).to be_nil
@@ -78,8 +83,23 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
       end
     end
 
+    context 'when it has a milestone' do
+      let(:milestone) { double(number: 45) }
+      let(:raw_data) { double(base_data.merge(milestone: milestone)) }
+
+      it 'returns nil when milestone does not exist' do
+        expect(issue.attributes.fetch(:milestone)).to be_nil
+      end
+
+      it 'returns milestone when it exists' do
+        milestone = create(:milestone, project: project, iid: 45)
+
+        expect(issue.attributes.fetch(:milestone)).to eq milestone
+      end
+    end
+
     context 'when author is a GitLab user' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(user: octocat)) }
+      let(:raw_data) { double(base_data.merge(user: octocat)) }
 
       it 'returns project#creator_id as author_id when is not a GitLab user' do
         expect(issue.attributes.fetch(:author_id)).to eq project.creator_id
@@ -95,7 +115,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
 
   describe '#has_comments?' do
     context 'when number of comments is greater than zero' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(comments: 1)) }
+      let(:raw_data) { double(base_data.merge(comments: 1)) }
 
       it 'returns true' do
         expect(issue.has_comments?).to eq true
@@ -103,7 +123,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
     end
 
     context 'when number of comments is equal to zero' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(comments: 0)) }
+      let(:raw_data) { double(base_data.merge(comments: 0)) }
 
       it 'returns false' do
         expect(issue.has_comments?).to eq false
@@ -112,7 +132,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
   end
 
   describe '#number' do
-    let(:raw_data) { OpenStruct.new(base_data.merge(number: 1347)) }
+    let(:raw_data) { double(base_data.merge(number: 1347)) }
 
     it 'returns pull request number' do
       expect(issue.number).to eq 1347
@@ -121,7 +141,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
 
   describe '#valid?' do
     context 'when mention a pull request' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(pull_request: OpenStruct.new)) }
+      let(:raw_data) { double(base_data.merge(pull_request: double)) }
 
       it 'returns false' do
         expect(issue.valid?).to eq false
@@ -129,7 +149,7 @@ describe Gitlab::GithubImport::IssueFormatter, lib: true do
     end
 
     context 'when does not mention a pull request' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(pull_request: nil)) }
+      let(:raw_data) { double(base_data.merge(pull_request: nil)) }
 
       it 'returns true' do
         expect(issue.valid?).to eq true

spec/lib/gitlab/github_import/label_formatter_spec.rb

+require 'spec_helper'
+
+describe Gitlab::GithubImport::LabelFormatter, lib: true do
+
+  describe '#attributes' do
+    it 'returns formatted attributes' do
+      project = create(:project)
+      raw = double(name: 'improvements', color: 'e6e6e6')
+
+      formatter = described_class.new(project, raw)
+
+      expect(formatter.attributes).to eq({
+        project: project,
+        title: 'improvements',
+        color: '#e6e6e6'
+      })
+    end
+  end
+end

spec/lib/gitlab/github_import/milestone_formatter_spec.rb

+require 'spec_helper'
+
+describe Gitlab::GithubImport::MilestoneFormatter, lib: true do
+  let(:project) { create(:empty_project) }
+  let(:created_at) { DateTime.strptime('2011-01-26T19:01:12Z') }
+  let(:updated_at) { DateTime.strptime('2011-01-27T19:01:12Z') }
+  let(:base_data) do
+    {
+      number: 1347,
+      state: 'open',
+      title: '1.0',
+      description: 'Version 1.0',
+      due_on: nil,
+      created_at: created_at,
+      updated_at: updated_at,
+      closed_at: nil
+    }
+  end
+
+  subject(:formatter) { described_class.new(project, raw_data)}
+
+  describe '#attributes' do
+    context 'when milestone is open' do
+      let(:raw_data) { double(base_data.merge(state: 'open')) }
+
+      it 'returns formatted attributes' do
+        expected = {
+          iid: 1347,
+          project: project,
+          title: '1.0',
+          description: 'Version 1.0',
+          state: 'active',
+          due_date: nil,
+          created_at: created_at,
+          updated_at: updated_at
+        }
+
+        expect(formatter.attributes).to eq(expected)
+      end
+    end
+
+    context 'when milestone is closed' do
+      let(:closed_at) { DateTime.strptime('2011-01-28T19:01:12Z') }
+      let(:raw_data) { double(base_data.merge(state: 'closed', closed_at: closed_at)) }
+
+      it 'returns formatted attributes' do
+        expected = {
+          iid: 1347,
+          project: project,
+          title: '1.0',
+          description: 'Version 1.0',
+          state: 'closed',
+          due_date: nil,
+          created_at: created_at,
+          updated_at: closed_at
+        }
+
+        expect(formatter.attributes).to eq(expected)
+      end
+    end
+
+    context 'when milestone has a due date' do
+      let(:due_date) { DateTime.strptime('2011-01-28T19:01:12Z') }
+      let(:raw_data) { double(base_data.merge(due_on: due_date)) }
+
+      it 'returns formatted attributes' do
+        expected = {
+          iid: 1347,
+          project: project,
+          title: '1.0',
+          description: 'Version 1.0',
+          state: 'active',
+          due_date: due_date,
+          created_at: created_at,
+          updated_at: updated_at
+        }
+
+        expect(formatter.attributes).to eq(expected)
+      end
+    end
+  end
+end

spec/lib/gitlab/github_import/pull_request_formatter_spec.rb

@@ -2,17 +2,18 @@ require 'spec_helper'
 
 describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
   let(:project) { create(:project) }
-  let(:repository) { OpenStruct.new(id: 1, fork: false) }
+  let(:repository) { double(id: 1, fork: false) }
   let(:source_repo) { repository }
-  let(:source_branch) { OpenStruct.new(ref: 'feature', repo: source_repo) }
+  let(:source_branch) { double(ref: 'feature', repo: source_repo) }
   let(:target_repo) { repository }
-  let(:target_branch) { OpenStruct.new(ref: 'master', repo: target_repo) }
-  let(:octocat) { OpenStruct.new(id: 123456, login: 'octocat') }
+  let(:target_branch) { double(ref: 'master', repo: target_repo) }
+  let(:octocat) { double(id: 123456, login: 'octocat') }
   let(:created_at) { DateTime.strptime('2011-01-26T19:01:12Z') }
   let(:updated_at) { DateTime.strptime('2011-01-27T19:01:12Z') }
   let(:base_data) do
     {
       number: 1347,
+      milestone: nil,
       state: 'open',
       title: 'New feature',
       body: 'Please pull these awesome changes',
@@ -31,10 +32,11 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
 
   describe '#attributes' do
     context 'when pull request is open' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(state: 'open')) }
+      let(:raw_data) { double(base_data.merge(state: 'open')) }
 
       it 'returns formatted attributes' do
         expected = {
+          iid: 1347,
           title: 'New feature',
           description: "*Created by: octocat*\n\nPlease pull these awesome changes",
           source_project: project,
@@ -42,6 +44,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
           target_project: project,
           target_branch: 'master',
           state: 'opened',
+          milestone: nil,
           author_id: project.creator_id,
           assignee_id: nil,
           created_at: created_at,
@@ -54,10 +57,11 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
 
     context 'when pull request is closed' do
       let(:closed_at) { DateTime.strptime('2011-01-28T19:01:12Z') }
-      let(:raw_data) { OpenStruct.new(base_data.merge(state: 'closed', closed_at: closed_at)) }
+      let(:raw_data) { double(base_data.merge(state: 'closed', closed_at: closed_at)) }
 
       it 'returns formatted attributes' do
         expected = {
+          iid: 1347,
           title: 'New feature',
           description: "*Created by: octocat*\n\nPlease pull these awesome changes",
           source_project: project,
@@ -65,6 +69,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
           target_project: project,
           target_branch: 'master',
           state: 'closed',
+          milestone: nil,
           author_id: project.creator_id,
           assignee_id: nil,
           created_at: created_at,
@@ -77,10 +82,11 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
 
     context 'when pull request is merged' do
       let(:merged_at) { DateTime.strptime('2011-01-28T13:01:12Z') }
-      let(:raw_data) { OpenStruct.new(base_data.merge(state: 'closed', merged_at: merged_at)) }
+      let(:raw_data) { double(base_data.merge(state: 'closed', merged_at: merged_at)) }
 
       it 'returns formatted attributes' do
         expected = {
+          iid: 1347,
           title: 'New feature',
           description: "*Created by: octocat*\n\nPlease pull these awesome changes",
           source_project: project,
@@ -88,6 +94,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
           target_project: project,
           target_branch: 'master',
           state: 'merged',
+          milestone: nil,
           author_id: project.creator_id,
           assignee_id: nil,
           created_at: created_at,
@@ -99,7 +106,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
     end
 
     context 'when it is assigned to someone' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(assignee: octocat)) }
+      let(:raw_data) { double(base_data.merge(assignee: octocat)) }
 
       it 'returns nil as assignee_id when is not a GitLab user' do
         expect(pull_request.attributes.fetch(:assignee_id)).to be_nil
@@ -113,7 +120,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
     end
 
     context 'when author is a GitLab user' do
-      let(:raw_data) { OpenStruct.new(base_data.merge(user: octocat)) }
+      let(:raw_data) { double(base_data.merge(user: octocat)) }
 
       it 'returns project#creator_id as author_id when is not a GitLab user' do
         expect(pull_request.attributes.fetch(:author_id)).to eq project.creator_id
@@ -125,10 +132,25 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
         expect(pull_request.attributes.fetch(:author_id)).to eq gl_user.id
       end
     end
+
+    context 'when it has a milestone' do
+      let(:milestone) { double(number: 45) }
+      let(:raw_data) { double(base_data.merge(milestone: milestone)) }
+
+      it 'returns nil when milestone does not exists' do
+        expect(pull_request.attributes.fetch(:milestone)).to be_nil
+      end
+
+      it 'returns milestone when is exists' do
+        milestone = create(:milestone, project: project, iid: 45)
+
+        expect(pull_request.attributes.fetch(:milestone)).to eq milestone
+      end
+    end
   end
 
   describe '#number' do
-    let(:raw_data) { OpenStruct.new(base_data.merge(number: 1347)) }
+    let(:raw_data) { double(base_data.merge(number: 1347)) }
 
     it 'returns pull request number' do
       expect(pull_request.number).to eq 1347
@@ -136,11 +158,11 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
   end
 
   describe '#valid?' do
-    let(:invalid_branch) { OpenStruct.new(ref: 'invalid-branch') }
+    let(:invalid_branch) { double(ref: 'invalid-branch').as_null_object }
 
     context 'when source, and target repositories are the same' do
       context 'and source and target branches exists' do
-        let(:raw_data) { OpenStruct.new(base_data.merge(head: source_branch, base: target_branch)) }
+        let(:raw_data) { double(base_data.merge(head: source_branch, base: target_branch)) }
 
         it 'returns true' do
           expect(pull_request.valid?).to eq true
@@ -148,7 +170,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
       end
 
       context 'and source branch doesn not exists' do
-        let(:raw_data) { OpenStruct.new(base_data.merge(head: invalid_branch, base: target_branch)) }
+        let(:raw_data) { double(base_data.merge(head: invalid_branch, base: target_branch)) }
 
         it 'returns false' do
           expect(pull_request.valid?).to eq false
@@ -156,7 +178,7 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
       end
 
       context 'and target branch doesn not exists' do
-        let(:raw_data) { OpenStruct.new(base_data.merge(head: source_branch, base: invalid_branch)) }
+        let(:raw_data) { double(base_data.merge(head: source_branch, base: invalid_branch)) }
 
         it 'returns false' do
           expect(pull_request.valid?).to eq false
@@ -165,8 +187,8 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
     end
 
     context 'when source repo is a fork' do
-      let(:source_repo) { OpenStruct.new(id: 2, fork: true) }
-      let(:raw_data) { OpenStruct.new(base_data) }
+      let(:source_repo) { double(id: 2, fork: true) }
+      let(:raw_data) { double(base_data) }
 
       it 'returns false' do
         expect(pull_request.valid?).to eq false
@@ -174,8 +196,8 @@ describe Gitlab::GithubImport::PullRequestFormatter, lib: true do
     end
 
     context 'when target repo is a fork' do
-      let(:target_repo) { OpenStruct.new(id: 2, fork: true) }
-      let(:raw_data) { OpenStruct.new(base_data) }
+      let(:target_repo) { double(id: 2, fork: true) }
+      let(:raw_data) { double(base_data) }
 
       it 'returns false' do
         expect(pull_request.valid?).to eq false

spec/lib/gitlab/push_data_builder_spec.rb

@@ -14,11 +14,11 @@ describe Gitlab::PushDataBuilder, lib: true do
     it { expect(data[:ref]).to eq('refs/heads/master') }
     it { expect(data[:commits].size).to eq(3) }
     it { expect(data[:total_commits_count]).to eq(3) }
-    it { expect(data[:commits].first[:added]).to eq(["gitlab-grack"]) }
-    it { expect(data[:commits].first[:modified]).to eq([".gitmodules"]) }
+    it { expect(data[:commits].first[:added]).to eq(['gitlab-grack']) }
+    it { expect(data[:commits].first[:modified]).to eq(['.gitmodules']) }
     it { expect(data[:commits].first[:removed]).to eq([]) }
 
-    include_examples 'project hook data'
+    include_examples 'project hook data with deprecateds'
     include_examples 'deprecated repository hook data'
   end
 
@@ -34,9 +34,18 @@ describe Gitlab::PushDataBuilder, lib: true do
     it { expect(data[:checkout_sha]).to eq('5937ac0a7beb003549fc5fd26fc247adbce4a52e') }
     it { expect(data[:after]).to eq('8a2a6eb295bb170b34c24c76c49ed0e9b2eaf34b') }
     it { expect(data[:ref]).to eq('refs/tags/v1.1.0') }
+    it { expect(data[:user_id]).to eq(user.id) }
+    it { expect(data[:user_name]).to eq(user.name) }
+    it { expect(data[:user_email]).to eq(user.email) }
+    it { expect(data[:user_avatar]).to eq(user.avatar_url) }
+    it { expect(data[:project_id]).to eq(project.id) }
+    it { expect(data[:project]).to be_a(Hash) }
     it { expect(data[:commits]).to be_empty }
     it { expect(data[:total_commits_count]).to be_zero }
 
+    include_examples 'project hook data with deprecateds'
+    include_examples 'deprecated repository hook data'
+
     it 'does not raise an error when given nil commits' do
       expect { described_class.build(spy, spy, spy, spy, spy, nil) }.
         not_to raise_error

spec/mailers/repository_check_mailer_spec.rb

@@ -15,7 +15,7 @@ describe RepositoryCheckMailer do
     it 'mentions the number of failed checks' do
       mail = described_class.notify(3)
 
-      expect(mail).to have_subject '3 projects failed their last repository check'
+      expect(mail).to have_subject 'GitLab Admin | 3 projects failed their last repository check'
     end
   end
 end

spec/requests/api/users_spec.rb

@@ -20,6 +20,24 @@ describe API::API, api: true  do
     end
 
     context "when authenticated" do
+      #These specs are written just in case API authentication is not required anymore
+      context "when public level is restricted" do
+        before do
+          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+          allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
+        end
+
+        it "renders 403" do
+          get api("/users")
+          expect(response.status).to eq(403)
+        end
+
+        it "renders 404" do
+          get api("/users/#{user.id}")
+          expect(response.status).to eq(404)
+        end
+      end
+
       it "should return an array of users" do
         get api("/users", user)
         expect(response.status).to eq(200)

spec/services/git_tag_push_service_spec.rb

@@ -5,19 +5,17 @@ describe GitTagPushService, services: true do
 
   let(:user) { create :user }
   let(:project) { create :project }
-  let(:service) { GitTagPushService.new }
+  let(:service) { GitTagPushService.new(project, user, oldrev: oldrev, newrev: newrev, ref: ref) }
 
-  before do
-    @oldrev = Gitlab::Git::BLANK_SHA
-    @newrev = "8a2a6eb295bb170b34c24c76c49ed0e9b2eaf34b" # gitlab-test: git rev-parse refs/tags/v1.1.0
-    @ref = 'refs/tags/v1.1.0'
-  end
+  let(:oldrev) { Gitlab::Git::BLANK_SHA }
+  let(:newrev) { "8a2a6eb295bb170b34c24c76c49ed0e9b2eaf34b" } # gitlab-test: git rev-parse refs/tags/v1.1.0
+  let(:ref) { 'refs/tags/v1.1.0' }
 
   describe "Git Tag Push Data" do
     before do
-      service.execute(project, user, @oldrev, @newrev, @ref)
+      service.execute
       @push_data = service.push_data
-      @tag_name = Gitlab::Git.ref_name(@ref)
+      @tag_name = Gitlab::Git.ref_name(ref)
       @tag = project.repository.find_tag(@tag_name)
       @commit = project.commit(@tag.target)
     end
@@ -25,9 +23,9 @@ describe GitTagPushService, services: true do
     subject { @push_data }
 
     it { is_expected.to include(object_kind: 'tag_push') }
-    it { is_expected.to include(ref: @ref) }
-    it { is_expected.to include(before: @oldrev) }
-    it { is_expected.to include(after: @newrev) }
+    it { is_expected.to include(ref: ref) }
+    it { is_expected.to include(before: oldrev) }
+    it { is_expected.to include(after: newrev) }
     it { is_expected.to include(message: @tag.message) }
     it { is_expected.to include(user_id: user.id) }
     it { is_expected.to include(user_name: user.name) }
@@ -80,9 +78,11 @@ describe GitTagPushService, services: true do
 
   describe "Webhooks" do
     context "execute webhooks" do
+      let(:service) { GitTagPushService.new(project, user, oldrev: 'oldrev', newrev: 'newrev', ref: 'refs/tags/v1.0.0') }
+
       it "when pushing tags" do
         expect(project).to receive(:execute_hooks)
-        service.execute(project, user, 'oldrev', 'newrev', 'refs/tags/v1.0.0')
+        service.execute
       end
     end
   end

spec/support/project_hook_data_shared_example.rb

-RSpec.shared_examples 'project hook data' do |project_key: :project|
+RSpec.shared_examples 'project hook data with deprecateds' do |project_key: :project|
   it 'contains project data' do
     expect(data[project_key][:name]).to eq(project.name)
     expect(data[project_key][:description]).to eq(project.description)
@@ -17,6 +17,21 @@ RSpec.shared_examples 'project hook data' do |project_key: :project|
   end
 end
 
+RSpec.shared_examples 'project hook data' do |project_key: :project|
+  it 'contains project data' do
+    expect(data[project_key][:name]).to eq(project.name)
+    expect(data[project_key][:description]).to eq(project.description)
+    expect(data[project_key][:web_url]).to eq(project.web_url)
+    expect(data[project_key][:avatar_url]).to eq(project.avatar_url)
+    expect(data[project_key][:git_http_url]).to eq(project.http_url_to_repo)
+    expect(data[project_key][:git_ssh_url]).to eq(project.ssh_url_to_repo)
+    expect(data[project_key][:namespace]).to eq(project.namespace.name)
+    expect(data[project_key][:visibility_level]).to eq(project.visibility_level)
+    expect(data[project_key][:path_with_namespace]).to eq(project.path_with_namespace)
+    expect(data[project_key][:default_branch]).to eq(project.default_branch)
+  end
+end
+
 RSpec.shared_examples 'deprecated repository hook data' do |project_key: :project|
   it 'contains deprecated repository data' do
     expect(data[:repository][:name]).to eq(project.name)

spec/workers/repository_check/single_repository_worker_spec.rb

+require 'spec_helper'
+require 'fileutils'
+
+describe RepositoryCheck::SingleRepositoryWorker do
+  subject { described_class.new }
+
+  it 'fails if the wiki repository is broken' do
+    project = create(:project_empty_repo, wiki_enabled: true)
+    project.create_wiki
+
+    # Test sanity: everything should be fine before the wiki repo is broken
+    subject.perform(project.id)
+    expect(project.reload.last_repository_check_failed).to eq(false)
+
+    destroy_wiki(project)
+    subject.perform(project.id)
+
+    expect(project.reload.last_repository_check_failed).to eq(true)
+  end
+
+  it 'skips wikis when disabled' do
+    project = create(:project_empty_repo, wiki_enabled: false)
+    # Make sure the test would fail if it checked the wiki repo
+    destroy_wiki(project)
+
+    subject.perform(project.id)
+
+    expect(project.reload.last_repository_check_failed).to eq(false)
+  end
+
+  def destroy_wiki(project)
+    FileUtils.rm_rf(project.wiki.repository.path_to_repo)
+  end
+end