Merge branch '202585-reduce-rules-duplication' into 'master'

Consolidate conditions and rules under .gitlab/ci/rules.gitlab-ci.yml See merge request gitlab-org/gitlab!25150

Merge branch '202585-reduce-rules-duplication' into 'master'
Consolidate conditions and rules under .gitlab/ci/rules.gitlab-ci.yml See merge request gitlab-org/gitlab!25150
2378b312 · Lin Jen-Shin · 684a166a · f82a4fd6 · 2378b312 · 2378b312
Commit 2378b312 authored Feb 18, 2020 by Lin Jen-Shin
19 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,6 +36,7 @@ include:
  - local: .gitlab/ci/reports.gitlab-ci.yml
  - local: .gitlab/ci/rails.gitlab-ci.yml
  - local: .gitlab/ci/review.gitlab-ci.yml
+  - local: .gitlab/ci/rules.gitlab-ci.yml
  - local: .gitlab/ci/setup.gitlab-ci.yml
  - local: .gitlab/ci/dev-fixtures.gitlab-ci.yml
  - local: .gitlab/ci/test-metadata.gitlab-ci.yml

--- a/.gitlab/ci/cache-repo.gitlab-ci.yml
+++ b/.gitlab/ci/cache-repo.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-cache-credentials-schedule: &if-cache-credentials-schedule
-  if: '$CI_REPO_CACHE_CREDENTIALS && $CI_PIPELINE_SOURCE == "schedule"'
-
 # Builds a cached .tar.gz of the master branch with full history and
 # uploads it to Google Cloud Storage. This archive is downloaded by a
 # script defined by a CI/CD variable named CI_PRE_CLONE_SCRIPT. This has
@@ -22,6 +18,7 @@
 # runner, or network egress charges will apply:
 # https://cloud.google.com/storage/pricing
 cache-repo:
+  extends: .cache-repo:rules
  image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
  stage: sync
  allow_failure: true
@@ -38,6 +35,3 @@ cache-repo:
    - tar cf $TAR_FILENAME .
    - gzip $TAR_FILENAME
    - gsutil cp $TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/gitlab-master.tar.gz
-  rules:
-    - <<: *if-cache-credentials-schedule
-      when: on_success
--- a/.gitlab/ci/cng.gitlab-ci.yml
+++ b/.gitlab/ci/cng.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-groups-tag: &if-canonical-dot-com-gitlab-org-groups-tag
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/ && $CI_COMMIT_TAG'
-
 cloud-native-image:
+  extends: .cng:rules
  image: ruby:2.6-alpine
  dependencies: []
  stage: post-test
@@ -12,6 +9,3 @@ cloud-native-image:
  script:
    - install_gitlab_gem
    - CNG_PROJECT_PATH="gitlab-org/build/CNG" BUILD_TRIGGER_TOKEN=$CI_JOB_TOKEN ./scripts/trigger-build cng
-  rules:
-    - <<: *if-canonical-dot-com-gitlab-org-groups-tag
-      when: manual
--- a/.gitlab/ci/dev-fixtures.gitlab-ci.yml
+++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-ee: &if-not-ee
-  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-.dev-fixtures:rules:ee-and-foss:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.dev-fixtures:rules:ee-only:
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
 .run-dev-fixtures:
  extends:
    - .default-tags

--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-groups-merge-request: &if-canonical-dot-com-gitlab-org-groups-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/ && $CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-ee: &if-not-ee
-  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-docs-patterns: &code-docs-patterns
-  - ".gitlab/route-map.yml"
-  - "doc/**/*"
-  - ".markdownlint.json"
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
 .review-docs:
  extends:
    - .default-tags
    - .default-retry
-  rules:
-    - <<: *if-canonical-dot-com-gitlab-org-groups-merge-request
-      changes: *code-docs-patterns
-      when: manual
+    - .docs:rules:review-docs
  allow_failure: true
  image: ruby:2.6-alpine
  stage: review
@@ -90,10 +43,7 @@ docs lint:
  extends:
    - .default-tags
    - .default-retry
-  rules:
-    - <<: *if-default-refs
-      changes: *code-docs-patterns
-      when: on_success
+    - .docs:rules:docs-lint
  image: "registry.gitlab.com/gitlab-org/gitlab-docs:docs-lint"
  stage: test
  dependencies: []
@@ -117,13 +67,8 @@ graphql-reference-verify:
    - .default-retry
    - .default-cache
    - .default-before_script
+    - .docs:rules:graphql-reference-verify
    - .use-pg9
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
  stage: test
  needs: ["setup-test-env"]
  script:

--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-canonical-namespace: &if-not-canonical-namespace
-  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-ee: &if-not-ee
-  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-master-refs: &if-master-refs
-  if: '$CI_COMMIT_REF_NAME == "master"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
 .assets-compile-cache:
  cache:
    paths:
@@ -113,24 +48,16 @@
    - docker

 gitlab:assets:compile pull-push-cache:
-  extends: .gitlab:assets:compile-metadata
-  rules:
-    - <<: *if-not-canonical-namespace
-      when: never
-    - <<: *if-master-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
+  extends:
+    - .gitlab:assets:compile-metadata
+    - .frontend:rules:gitlab-assets-compile-pull-push-cache
  cache:
    policy: pull-push

 gitlab:assets:compile pull-cache:
-  extends: .gitlab:assets:compile-metadata
-  rules:
-    - <<: *if-not-canonical-namespace
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
+  extends:
+    - .gitlab:assets:compile-metadata
+    - .frontend:rules:gitlab-assets-compile-pull-cache
  cache:
    policy: pull

@@ -160,47 +87,33 @@ gitlab:assets:compile pull-cache:
      - public/assets

 compile-assets pull-push-cache:
-  extends: .compile-assets-metadata
-  rules:
-    - <<: *if-master-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
+  extends:
+    - .compile-assets-metadata
+    - .frontend:rules:compile-assets-pull-push-cache
  cache:
    policy: pull-push

-compile-assets pull-push-cache foss:
+compile-assets pull-push-cache as-if-foss:
  extends:
    - .compile-assets-metadata
+    - .frontend:rules:compile-assets-pull-push-cache-as-if-foss
    - .as-if-foss
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-master-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
  cache:
    policy: pull-push
    key: "assets-compile:v9:foss"

 compile-assets pull-cache:
-  extends: .compile-assets-metadata
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
+  extends:
+    - .compile-assets-metadata
+    - .frontend:rules:compile-assets-pull-cache
  cache:
    policy: pull

-compile-assets pull-cache foss:
+compile-assets pull-cache as-if-foss:
  extends:
    - .compile-assets-metadata
+    - .frontend:rules:compile-assets-pull-cache-as-if-foss
    - .as-if-foss
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
  cache:
    policy: pull
    key: "assets-compile:v9:foss"
@@ -228,11 +141,9 @@ compile-assets pull-cache foss:
    - bundle exec rake karma

 karma:
-  extends: .karma-base
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
+  extends:
+    - .karma-base
+    - .frontend:rules:default-frontend-jobs
  coverage: '/^Statements *: (\d+\.\d+%)/'
  artifacts:
    name: coverage-javascript
@@ -245,16 +156,11 @@ karma:
    reports:
      junit: junit_karma.xml

-karma-foss:
+karma-as-if-foss:
  extends:
    - .karma-base
+    - .frontend:rules:default-frontend-jobs-as-if-foss
    - .as-if-foss
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success

 .jest-base:
  extends: .frontend-job-base
@@ -271,11 +177,9 @@ karma-foss:
    policy: pull-push

 jest:
-  extends: .jest-base
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
+  extends:
+    - .jest-base
+    - .frontend:rules:default-frontend-jobs
  artifacts:
    name: coverage-frontend
    expire_in: 31d
@@ -287,16 +191,11 @@ jest:
    reports:
      junit: junit_jest.xml

-jest-foss:
+jest-as-if-foss:
  extends:
    - .jest-base
+    - .frontend:rules:default-frontend-jobs-as-if-foss
    - .as-if-foss
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
  cache:
    policy: pull

@@ -305,10 +204,8 @@ jest-foss:
    - .default-tags
    - .default-retry
    - .default-cache
+    - .frontend:rules:qa-frontend-node
  stage: test
-  rules:
-    - <<: *if-master-refs
-      when: on_success
  dependencies: []
  cache:
    key: "$CI_JOB_NAME"
@@ -339,11 +236,8 @@ webpack-dev-server:
    - .default-tags
    - .default-retry
    - .default-cache
+    - .frontend:rules:default-frontend-jobs
  stage: test
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
  needs: ["setup-test-env", "compile-assets pull-cache"]
  variables:
    WEBPACK_MEMORY_TEST: "true"

--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -33,171 +33,6 @@
      - vendor/gitaly-ruby
    policy: pull

-.default-only:
-  only:
-    refs:
-      - master
-      - /^[\d-]+-stable(-ee)?$/
-      - /^\d+-\d+-auto-deploy-\d+$/
-      - /^security\//
-      - merge_requests
-      - tags
-
-.only:variables-canonical-dot-com:
-  only:
-    variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/  # Matches the gitlab-org group or its subgroups
-
-.only:variables_refs-canonical-dot-com-schedules:
-  extends: .only:variables-canonical-dot-com
-  only:
-    refs:
-      - schedules
-
-.except:refs-deploy:
-  except:
-    refs:
-      - /^\d+-\d+-auto-deploy-\d+$/
-
-.except:refs-master-tags-stable-deploy:
-  except:
-    refs:
-      - master
-      - tags
-      - /^[\d-]+-stable(-ee)?$/
-      - /^\d+-\d+-auto-deploy-\d+$/
-
-.only:kubernetes:
-  only:
-    kubernetes: active
-
-.only-review:
-  extends:
-    - .only:variables-canonical-dot-com
-    - .only:kubernetes
-    - .except:refs-master-tags-stable-deploy
-
-.only-review-schedules:
-  extends:
-    - .only:variables_refs-canonical-dot-com-schedules
-    - .only:kubernetes
-    - .except:refs-deploy
-
-.code-patterns: &code-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-
-.backstage-patterns: &backstage-patterns
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-.qa-patterns: &qa-patterns
-  - ".dockerignore"
-  - "qa/**/*"
-
-.docs-patterns: &docs-patterns
-  - ".gitlab/route-map.yml"
-  - "doc/**/*"
-  - ".markdownlint.json"
-
-.only:changes-code:
-  only:
-    changes: *code-patterns
-
-.only:changes-qa:
-  only:
-    changes: *qa-patterns
-
-.only:changes-docs:
-  only:
-    changes: *docs-patterns
-
-.only:changes-code-backstage:
-  only:
-    changes:
-      - ".gitlab/ci/**/*"
-      - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-      - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-      - ".csscomb.json"
-      - "Dockerfile.assets"
-      - "*_VERSION"
-      - "Gemfile{,.lock}"
-      - "Rakefile"
-      - "{babel.config,jest.config}.js"
-      - "config.ru"
-      - "{package.json,yarn.lock}"
-      - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-      - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-      # Backstage changes
-      - "Dangerfile"
-      - "danger/**/*"
-      - "{,ee/}fixtures/**/*"
-      - "{,ee/}rubocop/**/*"
-      - "{,ee/}spec/**/*"
-      - "doc/README.md"  # Some RSpec test rely on this file
-
-.only:changes-code-qa:
-  only:
-    changes:
-      - ".gitlab/ci/**/*"
-      - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-      - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-      - ".csscomb.json"
-      - "Dockerfile.assets"
-      - "*_VERSION"
-      - "Gemfile{,.lock}"
-      - "Rakefile"
-      - "{babel.config,jest.config}.js"
-      - "config.ru"
-      - "{package.json,yarn.lock}"
-      - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-      - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-      # QA changes
-      - ".dockerignore"
-      - "qa/**/*"
-
-.only:changes-code-backstage-qa:
-  only:
-    changes:
-      - ".gitlab/ci/**/*"
-      - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-      - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-      - ".csscomb.json"
-      - "Dockerfile.assets"
-      - "*_VERSION"
-      - "Gemfile{,.lock}"
-      - "Rakefile"
-      - "{babel.config,jest.config}.js"
-      - "config.ru"
-      - "{package.json,yarn.lock}"
-      - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-      - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-      # Backstage changes
-      - "Dangerfile"
-      - "danger/**/*"
-      - "{,ee/}fixtures/**/*"
-      - "{,ee/}rubocop/**/*"
-      - "{,ee/}spec/**/*"
-      - "doc/README.md"  # Some RSpec test rely on this file
-      # QA changes
-      - ".dockerignore"
-      - "qa/**/*"
-
 .use-pg9:
  services:
    - name: postgres:9.6.17
@@ -234,17 +69,6 @@
  variables:
    POSTGRES_HOST_AUTH_METHOD: trust

-.only-ee:
-  only:
-    variables:
-      - $CI_PROJECT_NAME == "gitlab"
-      - $CI_PROJECT_NAME == "gitlab-ee"  # Support former project name for forks/mirrors
-
 .as-if-foss:
  variables:
    FOSS_ONLY: '1'
-
-.only-ee-as-if-foss:
-  extends:
-    - .only-ee
-    - .as-if-foss
--- a/.gitlab/ci/memory.gitlab-ci.yml
+++ b/.gitlab/ci/memory.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-patterns: &code-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-
 .only-code-memory-job-base:
  extends:
    - .default-tags
    - .default-retry
    - .default-cache
    - .default-before_script
-  rules:
-    - <<: *if-default-refs
-      changes: *code-patterns
-      when: on_success
+    - .memory:rules

 memory-static:
  extends: .only-code-memory-job-base

--- a/.gitlab/ci/pages.gitlab-ci.yml
+++ b/.gitlab/ci/pages.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-group-master-refs: &if-canonical-dot-com-gitlab-org-group-master-refs
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_COMMIT_REF_NAME == "master"'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
 pages:
  extends:
    - .default-tags
    - .default-retry
    - .default-cache
-  rules:
-    - <<: *if-canonical-dot-com-gitlab-org-group-master-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
+    - .pages:rules
  stage: pages
  dependencies: ["coverage", "karma", "gitlab:assets:compile pull-cache"]
  script:

--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-group-schedule: &if-canonical-dot-com-gitlab-org-group-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-ee: &if-not-ee
-  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-patterns: &code-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.qa-patterns: &qa-patterns
-  - ".dockerignore"
-  - "qa/**/*"
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-qa-patterns: &code-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-.qa:rules:ee-and-foss:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-qa-patterns
-      when: on_success
-
-.qa:rules:ee-only:
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-qa-patterns
-      when: on_success
-
 .qa-job-base:
  extends:
    - .default-tags
@@ -91,7 +21,7 @@ qa:internal:
  script:
    - bundle exec rspec

-qa:internal-foss:
+qa:internal-as-if-foss:
  extends:
    - .qa-job-base
    - .qa:rules:ee-only
@@ -106,7 +36,7 @@ qa:selectors:
  script:
    - bundle exec bin/qa Test::Sanity::Selectors

-qa:selectors-foss:
+qa:selectors-as-if-foss:
  extends:
    - qa:selectors
    - .qa:rules:ee-only
@@ -123,15 +53,8 @@ qa:selectors-foss:
    - ./scripts/trigger-build omnibus

 package-and-qa:
-  extends: .package-and-qa-base
-  rules:
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *qa-patterns
-      when: on_success
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-patterns
-      when: manual
-    - <<: *if-canonical-dot-com-gitlab-org-group-schedule
-      when: on_success
+  extends:
+    - .package-and-qa-base
+    - .qa:rules:package-and-qa
  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
  allow_failure: true
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-ee: &if-not-ee
-  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-master-refs: &if-master-refs
-  if: '$CI_COMMIT_REF_NAME == "master"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-merge-request: &if-merge-request
-  if: '$CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-.rails:rules:ee-and-foss:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.rails:rules:default-refs-code-backstage-qa:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      when: on_success
-
-.rails:rules:master-refs-code-backstage:
-  rules:
-    - <<: *if-master-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.rails:rules:master-refs-code-backstage-ee-only:
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-master-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.rails:rules:ee-only:
-  rules:
-    - <<: *if-not-ee
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
 .rails:needs:setup-and-assets:
  needs:
    - job: setup-test-env
@@ -153,11 +54,8 @@ downtime_check:
  extends:
    - .rails-job-base
    - .rails:needs:setup-and-assets
+    - .rails:rules:downtime_check
  stage: test
-  rules:
-    - <<: *if-merge-request
-      changes: *code-backstage-patterns
-      when: on_success
  variables:
    SETUP_DB: "false"
  script:
@@ -407,7 +305,7 @@ rspec-ee system pg10:
      artifacts: true
    - job: retrieve-tests-metadata
      artifacts: true
-    - job: compile-assets pull-cache foss
+    - job: compile-assets pull-cache as-if-foss
      artifacts: true

 .rspec-ee-base-pg9:

--- a/.gitlab/ci/releases.gitlab-ci.yml
+++ b/.gitlab/ci/releases.gitlab-ci.yml
-.releases:rules:canonical-dot-com-gitlab-stable-branch-only:
-  rules:
-    - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-org/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
-
-.releases:rules:canonical-dot-com-security-gitlab-stable-branch-only:
-  rules:
-    - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-org/security/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
-
 # Syncs any changes pushed to a stable branch to the corresponding
 # gitlab-foss/CE stable branch. We run this prior to any tests so that random
 # failures don't prevent a sync.

--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-group-schedule: &if-canonical-dot-com-gitlab-org-group-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-master-refs: &if-master-refs
-  if: '$CI_COMMIT_REF_NAME == "master"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-qa-patterns: &code-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-.reports:rules:code_quality:
-  rules:
-    - if: '$CODE_QUALITY_DISABLED'
-      when: never
-    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-
-.reports:rules:sast:
-  rules:
-    - if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
-      when: never
-    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-
-.reports:rules:dependency_scanning:
-  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
-      when: never
-    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-
-.reports:rules:dast:
-  rules:
-    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-      when: never
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-qa-patterns
-
 # include:
 #   - template: Jobs/Code-Quality.gitlab-ci.yml
 #   - template: Security/SAST.gitlab-ci.yml
@@ -299,10 +184,8 @@ dast:

 # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
 # schedule:dast:
-#   extends: dast
-#   rules:
-#     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-#       when: never
-#     - <<: *if-canonical-dot-com-gitlab-org-group-schedule
+#   extends:
+#     - dast
+#     - .reports:schedule-dast
 #   variables:
 #     DAST_FULL_SCAN_ENABLED: "true"
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-org-group-schedule: &if-canonical-dot-com-gitlab-org-group-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-qa-patterns: &code-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-.review:rules:mr-and-schedule:
-  rules:
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-qa-patterns
-      when: on_success
-    - <<: *if-canonical-dot-com-gitlab-org-group-schedule
-      when: on_success
-
-.review:rules:mr-only-auto:
-  rules:
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-qa-patterns
-      when: on_success
-
-.review:rules:mr-only-manual:
-  rules:
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-qa-patterns
-      when: manual
-
-.review:rules:review-cleanup:
-  rules:
-    - <<: *if-canonical-gitlab-merge-request
-      changes: *code-qa-patterns
-      when: manual
-    - <<: *if-canonical-dot-com-gitlab-org-group-schedule
-      when: on_success
-
-.review:rules:danger:
-  rules:
-    - if: '$DANGER_GITLAB_API_TOKEN && $CI_MERGE_REQUEST_IID'
-      when: on_success
-
 .review-docker:
  extends:
    - .default-tags

--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
+##############
+# Conditions #
+##############
+.if-not-canonical-namespace: &if-not-canonical-namespace
+  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/'
+
+.if-not-ee: &if-not-ee
+  if: '$CI_PROJECT_NAME !~ /^gitlab(-ee)?$/'
+
+.if-not-foss: &if-not-foss
+  if: '$CI_PROJECT_NAME != "gitlab-foss" && $CI_PROJECT_NAME != "gitlab-ce" && $CI_PROJECT_NAME != "gitlabhq"'
+
+.if-default-refs: &if-default-refs
+  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
+
+.if-master-refs: &if-master-refs
+  if: '$CI_COMMIT_REF_NAME == "master"'
+
+.if-master-or-tag: &if-master-or-tag
+  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_TAG'
+
+.if-merge-request: &if-merge-request
+  if: '$CI_MERGE_REQUEST_IID'
+
+.if-dot-com-gitlab-org-schedule: &if-dot-com-gitlab-org-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
+
+.if-dot-com-gitlab-org-master: &if-dot-com-gitlab-org-master
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_COMMIT_REF_NAME == "master"'
+
+.if-dot-com-gitlab-org-merge-request: &if-dot-com-gitlab-org-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+
+.if-dot-com-gitlab-org-and-security-merge-request: &if-dot-com-gitlab-org-and-security-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID'
+
+.if-dot-com-gitlab-org-and-security-tag: &if-dot-com-gitlab-org-and-security-tag
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_COMMIT_TAG'
+
+.if-dot-com-ee-schedule: &if-dot-com-ee-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule"'
+
+.if-cache-credentials-schedule: &if-cache-credentials-schedule
+  if: '$CI_REPO_CACHE_CREDENTIALS && $CI_PIPELINE_SOURCE == "schedule"'
+
+####################
+# Changes patterns #
+####################
+.yaml-patterns: &yaml-patterns
+  - "**/*.yml"
+
+.docs-patterns: &docs-patterns
+  - ".gitlab/route-map.yml"
+  - "doc/**/*"
+  - ".markdownlint.json"
+
+.backstage-patterns: &backstage-patterns
+  - "Dangerfile"
+  - "danger/**/*"
+  - "{,ee/}fixtures/**/*"
+  - "{,ee/}rubocop/**/*"
+  - "{,ee/}spec/**/*"
+  - "doc/README.md"  # Some RSpec test rely on this file
+
+.code-patterns: &code-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
+
+.qa-patterns: &qa-patterns
+  - ".dockerignore"
+  - "qa/**/*"
+
+.code-backstage-patterns: &code-backstage-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
+  # Backstage changes
+  - "Dangerfile"
+  - "danger/**/*"
+  - "{,ee/}fixtures/**/*"
+  - "{,ee/}rubocop/**/*"
+  - "{,ee/}spec/**/*"
+  - "doc/README.md"  # Some RSpec test rely on this file
+
+.code-qa-patterns: &code-qa-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
+  # QA changes
+  - ".dockerignore"
+  - "qa/**/*"
+
+.code-backstage-qa-patterns: &code-backstage-qa-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
+  # Backstage changes
+  - "Dangerfile"
+  - "danger/**/*"
+  - "{,ee/}fixtures/**/*"
+  - "{,ee/}rubocop/**/*"
+  - "{,ee/}spec/**/*"
+  - "doc/README.md"  # Some RSpec test rely on this file
+  # QA changes
+  - ".dockerignore"
+  - "qa/**/*"
+
+####################
+# Cache repo rules #
+####################
+.cache-repo:rules:
+  rules:
+    - <<: *if-cache-credentials-schedule
+      when: on_success
+
+#############
+# CNG rules #
+#############
+.cng:rules:
+  rules:
+    - <<: *if-dot-com-gitlab-org-and-security-tag
+      when: manual
+
+######################
+# Dev fixtures rules #
+######################
+.dev-fixtures:rules:ee-and-foss:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.dev-fixtures:rules:ee-only:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+##############
+# Docs rules #
+##############
+.docs:rules:review-docs:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *docs-patterns
+      when: manual
+
+.docs:rules:docs-lint:
+  rules:
+    - <<: *if-default-refs
+      changes: *docs-patterns
+      when: on_success
+
+.docs:rules:graphql-reference-verify:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+##################
+# Frontend rules #
+##################
+.frontend:rules:gitlab-assets-compile-pull-push-cache:
+  rules:
+    - <<: *if-not-canonical-namespace
+      when: never
+    - <<: *if-master-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:gitlab-assets-compile-pull-cache:
+  rules:
+    - <<: *if-not-canonical-namespace
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:compile-assets-pull-push-cache:
+  rules:
+    - <<: *if-master-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:compile-assets-pull-push-cache-as-if-foss:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-master-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:compile-assets-pull-cache:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:compile-assets-pull-cache-as-if-foss:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.frontend:rules:default-frontend-jobs:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.frontend:rules:default-frontend-jobs-as-if-foss:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.frontend:rules:qa-frontend-node:
+  rules:
+    - <<: *if-master-refs
+      when: on_success
+
+################
+# Memory rules #
+################
+.memory:rules:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-patterns
+      when: on_success
+
+###############
+# Pages rules #
+###############
+.pages:rules:
+  rules:
+    - <<: *if-dot-com-gitlab-org-master
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+############
+# QA rules #
+############
+.qa:rules:ee-and-foss:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-qa-patterns
+      when: on_success
+
+.qa:rules:ee-only:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-qa-patterns
+      when: on_success
+
+.qa:rules:package-and-qa:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *qa-patterns
+      when: on_success
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-patterns
+      when: manual
+    - <<: *if-dot-com-gitlab-org-schedule
+      when: on_success
+
+###############
+# Rails rules #
+###############
+.rails:rules:ee-and-foss:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.rails:rules:default-refs-code-backstage-qa:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.rails:rules:master-refs-code-backstage:
+  rules:
+    - <<: *if-master-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.rails:rules:master-refs-code-backstage-ee-only:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-master-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.rails:rules:ee-only:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.rails:rules:downtime_check:
+  rules:
+    - <<: *if-merge-request
+      changes: *code-backstage-patterns
+      when: on_success
+
+##################
+# Releases rules #
+##################
+.releases:rules:canonical-dot-com-gitlab-stable-branch-only:
+  rules:
+    - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-org/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
+
+.releases:rules:canonical-dot-com-security-gitlab-stable-branch-only:
+  rules:
+    - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-org/security/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
+
+#################
+# Reports rules #
+#################
+.reports:rules:code_quality:
+  rules:
+    - if: '$CODE_QUALITY_DISABLED'
+      when: never
+    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+
+.reports:rules:sast:
+  rules:
+    - if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
+      when: never
+    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+
+.reports:rules:dependency_scanning:
+  rules:
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
+      when: never
+    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+
+.reports:rules:dast:
+  rules:
+    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
+      when: never
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-qa-patterns
+
+.reports:schedule-dast:
+  rules:
+    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
+      when: never
+    - <<: *if-dot-com-gitlab-org-schedule
+
+################
+# Review rules #
+################
+.review:rules:mr-and-schedule:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-qa-patterns
+      when: on_success
+    - <<: *if-dot-com-gitlab-org-schedule
+      when: on_success
+
+.review:rules:mr-only-auto:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-qa-patterns
+      when: on_success
+
+.review:rules:mr-only-manual:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-qa-patterns
+      when: manual
+
+.review:rules:review-cleanup:
+  rules:
+    - <<: *if-dot-com-gitlab-org-merge-request
+      changes: *code-qa-patterns
+      when: manual
+    - <<: *if-dot-com-gitlab-org-schedule
+      when: on_success
+
+.review:rules:danger:
+  rules:
+    - if: '$DANGER_GITLAB_API_TOKEN && $CI_MERGE_REQUEST_IID'
+      when: on_success
+
+###############
+# Setup rules #
+###############
+.setup:rules:cache-gems:
+  rules:
+    - <<: *if-not-canonical-namespace
+      when: never
+    - <<: *if-master-or-tag
+      changes: *code-backstage-qa-patterns
+      when: on_success
+
+.setup:rules:gitlab_git_test:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.setup:rules:no_ee_check:
+  rules:
+    - <<: *if-not-foss
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+#######################
+# Test metadata rules #
+#######################
+.test-metadata:rules:retrieve-tests-metadata:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+      when: on_success
+
+.test-metadata:rules:update-tests-metadata:
+  rules:
+    - <<: *if-dot-com-ee-schedule
+      changes: *code-backstage-patterns
+      when: on_success
+
+.test-metadata:rules:flaky-examples-check:
+  rules:
+    - <<: *if-merge-request
+      changes: *code-backstage-patterns
+      when: on_success
+
+
+##############
+# YAML rules #
+##############
+.yaml:rules:
+  rules:
+    - <<: *if-default-refs
+      changes: *yaml-patterns
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-canonical-namespace: &if-not-canonical-namespace
-  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-not-foss: &if-not-foss
-  if: '$CI_PROJECT_NAME != "gitlab-foss" && $CI_PROJECT_NAME != "gitlab-ce" && $CI_PROJECT_NAME != "gitlabhq"'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-master-or-tag: &if-master-or-tag
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-qa-patterns: &code-backstage-qa-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-  # QA changes
-  - ".dockerignore"
-  - "qa/**/*"
-
-.setup:rules:cache-gems:
-  rules:
-    - <<: *if-not-canonical-namespace
-      when: never
-    - <<: *if-master-or-tag
-      changes: *code-backstage-qa-patterns
-      when: on_success
-
-.setup:rules:gitlab_git_test:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.setup:rules:no_ee_check:
-  rules:
-    - <<: *if-not-foss
-      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
 # Insurance in case a gem needed by one of our releases gets yanked from
 # rubygems.org in the future.
 cache gems:

--- a/.gitlab/ci/test-metadata.gitlab-ci.yml
+++ b/.gitlab/ci/test-metadata.gitlab-ci.yml
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-merge-request: &if-merge-request
-  if: '$CI_MERGE_REQUEST_IID'
-
-# Make sure to update all the similar conditions in other CI config files if you modify these conditions
-.if-canonical-dot-com-gitlab-schedule: &if-canonical-dot-com-gitlab-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule"'
-
-# Make sure to update all the similar patterns in other CI config files if you modify these patterns
-.code-backstage-patterns: &code-backstage-patterns
-  - ".gitlab/ci/**/*"
-  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
-  - ".csscomb.json"
-  - "Dockerfile.assets"
-  - "*_VERSION"
-  - "Gemfile{,.lock}"
-  - "Rakefile"
-  - "{babel.config,jest.config}.js"
-  - "config.ru"
-  - "{package.json,yarn.lock}"
-  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
-  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
-  # Backstage changes
-  - "Dangerfile"
-  - "danger/**/*"
-  - "{,ee/}fixtures/**/*"
-  - "{,ee/}rubocop/**/*"
-  - "{,ee/}spec/**/*"
-  - "doc/README.md"  # Some RSpec test rely on this file
-
-.test-metadata:rules:retrieve-tests-metadata:
-  rules:
-    - <<: *if-default-refs
-      changes: *code-backstage-patterns
-      when: on_success
-
-.test-metadata:rules:update-tests-metadata:
-  rules:
-    - <<: *if-canonical-dot-com-gitlab-schedule
-      changes: *code-backstage-patterns
-      when: on_success
-
-.test-metadata:rules:flaky-examples-check:
-  rules:
-    - <<: *if-merge-request
-      changes: *code-backstage-patterns
-      when: on_success
-
 .tests-metadata-state:
  variables:
    TESTS_METADATA_S3_BUCKET: "gitlab-ce-cache"

--- a/.gitlab/ci/yaml.gitlab-ci.yml
+++ b/.gitlab/ci/yaml.gitlab-ci.yml
@@ -4,10 +4,7 @@ lint-ci-gitlab:
  extends:
    - .default-tags
    - .default-retry
-    - .default-only
-  only:
-    changes:
-      - "**/*.yml"
+    - .yaml:rules
  image: sdesbure/yamllint:latest
  dependencies: []
  variables:

--- a/doc/development/pipelines.md
+++ b/doc/development/pipelines.md
@@ -64,180 +64,62 @@ Most of the jobs [extend from a few CI definitions](../ci/yaml/README.md#extends
 that are scoped to a single
 [configuration parameter](../ci/yaml/README.md#configuration-parameters).

-These common definitions are:
-
- `.default-tags`: Ensures a job has the `gitlab-org` tag to ensure it's using
-  our dedicated runners.
- `.default-retry`: Allows a job to [retry](../ci/yaml/README.md#retry) upon `unknown_failure`, `api_failure`,
-  `runner_system_failure`, `job_execution_timeout`, or `stuck_or_timeout_failure`.
- `.default-before_script`: Allows a job to use a default `before_script` definition
-  suitable for Ruby/Rails tasks that may need a database running (e.g. tests).
- `.default-cache`: Allows a job to use a default `cache` definition suitable for
-  Ruby/Rails and frontend tasks.
- `.default-only`: Restricts the cases where a job is created. This currently
-  includes `master`, `/^[\d-]+-stable(-ee)?$/` (stable branches),
-  `/^\d+-\d+-auto-deploy-\d+$/` (auto-deploy branches), `/^security\//` (security branches), `merge_requests`, `tags`.
-  Note that jobs won't be created for branches with this default configuration.
- `.only:variables-canonical-dot-com`: Only creates a job if the project is
-  located under <https://gitlab.com/gitlab-org>.
- `.only:variables_refs-canonical-dot-com-schedules`: Same as
-  `.only:variables-canonical-dot-com` but add the condition that pipeline is scheduled.
- `.except:refs-deploy`: Don't create a job if the `ref` is an auto-deploy branch.
- `.except:refs-master-tags-stable-deploy`: Don't create a job if the `ref` is one of:
-  - `master`
-  - a tag
-  - a stable branch
-  - an auto-deploy branch
- `.only:kubernetes`: Only creates a job if a Kubernetes integration is enabled
-  on the project.
- `.only-review`: This extends from:
-  - `.only:variables-canonical-dot-com`
-  - `.only:kubernetes`
-  - `.except:refs-master-tags-stable-deploy`
- `.only-review-schedules`: This extends from:
-  - `.only:variables_refs-canonical-dot-com-schedules`
-  - `.only:kubernetes`
-  - `.except:refs-deploy`
- `.use-pg9`: Allows a job to use the `postgres:9.6` and `redis:alpine` services.
- `.use-pg10`: Allows a job to use the `postgres:10.9` and `redis:alpine` services.
- `.use-pg9-ee`: Same as `.use-pg9` but also use the
-  `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services.
- `.use-pg10-ee`: Same as `.use-pg10` but also use the
-  `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services.
- `.only-ee`: Only creates a job for the `gitlab` or `gitlab-ee` project.
- `.only-ee-as-if-foss`: Same as `.only-ee` but simulate the FOSS project by
-  setting the `FOSS_ONLY='1'` environment variable.
-
-## Changes detection
-
-If a job extends from `.default-only` (and most of the jobs should), it can restrict
-the cases where it should be created
-[based on the changes](../ci/yaml/README.md#onlychangesexceptchanges)
-from a commit or MR by extending from the following CI definitions:
-
- `.only:changes-code`: Allows a job to only be created upon code-related changes.
- `.only:changes-qa`: Allows a job to only be created upon QA-related changes.
- `.only:changes-docs`: Allows a job to only be created upon docs-related changes.
- `.only:changes-graphql`: Allows a job to only be created upon GraphQL-related changes.
- `.only:changes-code-backstage`: Allows a job to only be created upon code-related or backstage-related (e.g. Danger, RuboCop, specs) changes.
- `.only:changes-code-qa`: Allows a job to only be created upon code-related or QA-related changes.
- `.only:changes-code-backstage-qa`: Allows a job to only be created upon code-related, backstage-related (e.g. Danger, RuboCop, specs) or QA-related changes.
-
-**See <https://gitlab.com/gitlab-org/gitlab/blob/master/.gitlab/ci/global.gitlab-ci.yml>
-for the list of exact patterns.**
-
-## Rules conditions and changes patterns
-
-We're making use of the [`rules` keyword](https://docs.gitlab.com/ee/ci/yaml/#rules) but we're currently
-duplicating the `if` conditions and `changes` patterns lists since they cannot be shared across
-`include`d files as we do with `extends`.
-
-**If you update an `if` condition or `changes`
-patterns list, make sure to mass-update those across all the CI config files (i.e. `.gitlab/ci/*.yml`).**
-
-### Canonical/security namespace merge requests only
-
-This condition limits jobs creation to merge requests under the `gitlab-org/` top-level group
-on GitLab.com only (i.e. this won't run for `master`, stable or auto-deploy branches).
-This is similar to the `.only:variables-canonical-dot-com` + `only:refs: [merge_requests]`
-CI definitions.
-
-The definition for `if-canonical-dot-com-gitlab-org-groups-merge-request` can be
-seen in <https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/docs.gitlab-ci.yml>.
-
-### Canonical/security namespace tags only
-
-This condition limits jobs creation to tags under the `gitlab-org/` top-level group
-on GitLab.com only.
-This is similar to the `.only:variables-canonical-dot-com` + `only:refs: [tags]` CI definition:
-
-The definition for `if-canonical-dot-com-gitlab-org-groups-tag` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/cng.gitlab-ci.yml>.
-
-### Canonical namespace `master` only
-
-This condition limits jobs creation to `master` pipelines for the `gitlab-org` top-level group
-on GitLab.com only.
-This is similar to the `.only:variables-canonical-dot-com` + `only:refs: [master]` CI definition:
-
-The definition for `if-canonical-dot-com-gitlab-org-group-master-refs` can be
-seen in <https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/pages.gitlab-ci.yml>.
-
-### Canonical namespace schedules only
-
-This condition limits jobs creation to scheduled pipelines for the `gitlab-org` top-level group
-on GitLab.com only.
-This is similar to the `.only:variables-canonical-dot-com` + `only:refs: [schedules]` CI definition:
-
-The definition for `if-canonical-dot-com-gitlab-org-group-schedule` can be seen
-in <https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/qa.gitlab-ci.yml>.
-
-### Not canonical/security namespace
-
-This condition matches if the project isn't in the canonical/security namespace.
-Useful to **not** create a job if the project is a fork, or in other words, when
-a job should only run in the canonical projects.
-
-The definition for `if-not-canonical-namespace` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/frontend.gitlab-ci.yml>.
-
-### Not EE
-
-This condition matches if the project isn't EE. Useful to **not** create a job if
-the project is GitLab, or in other words, when a job should only run in the GitLab
-FOSS project.
-
-The definition for `if-not-ee` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/frontend.gitlab-ci.yml>.
-
-### Default refs only
-
-This condition is the equivalent of `.default-only`.
-
-The definition for `if-default-refs` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/frontend.gitlab-ci.yml>.
-
-### `master` refs only
-
-This condition is the equivalent of `only:refs: [master]`.
-
-The definition for `if-master-refs` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/frontend.gitlab-ci.yml>.
-
-### Code changes patterns
-
-Similar patterns as for `.only:changes-code`:
-
-The definition for `code-patterns` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/qa.gitlab-ci.yml>.
-
-### QA changes patterns
-
-Similar patterns as for `.only:changes-qa`:
-
-The definition for `qa-patterns` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/qa.gitlab-ci.yml>.
-
-### Docs changes patterns
-
-Similar patterns as for `.only:changes-docs`:
-
-The definition for `docs-patterns` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/docs.gitlab-ci.yml>.
-
-### Code and QA changes patterns
-
-Similar patterns as for `.only:changes-code-qa`:
-
-The definition for `code-qa-patterns` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/review.gitlab-ci.yml>.
-
-### Code, backstage and QA changes patterns
-
-Similar patterns as for `.only:changes-code-backstage-qa`:
-
-The definition for `code-backstage-qa-patterns` can be seen in
-<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/frontend.gitlab-ci.yml>.
+| Job definitions  | Description |
+|------------------|-------------|
+| `.default-tags` | Ensures a job has the `gitlab-org` tag to ensure it's using our dedicated runners. |
+| `.default-retry` | Allows a job to [retry](../ci/yaml/README.md#retry) upon `unknown_failure`, `api_failure`, `runner_system_failure`, `job_execution_timeout`, or `stuck_or_timeout_failure`. |
+| `.default-before_script` | Allows a job to use a default `before_script` definition suitable for Ruby/Rails tasks that may need a database running (e.g. tests). |
+| `.default-cache` | Allows a job to use a default `cache` definition suitable for Ruby/Rails and frontend tasks. |
+| `.use-pg9` | Allows a job to use the `postgres:9.6.17` and `redis:alpine` services. |
+| `.use-pg10` | Allows a job to use the `postgres:10.12` and `redis:alpine` services. |
+| `.use-pg9-ee` | Same as `.use-pg9` but also use the `docker.elastic.co/elasticsearch/elasticsearch:6.4.2` services. |
+| `.use-pg10-ee` | Same as `.use-pg10` but also use the `docker.elastic.co/elasticsearch/elasticsearch:6.4.2` services. |
+| `.as-if-foss` | Simulate the FOSS project by setting the `FOSS_ONLY='1'` environment variable. |
+
+## `rules`, `if:` conditions and `changes:` patterns
+
+We're using the [`rules` keyword](../ci/yaml/README.md#rules) extensively.
+
+All `rules` definitions are defined in
+<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/rules.gitlab-ci.yml>,
+then included in individual jobs via [`extends`](../ci/yaml/README.md#extends).
+
+The `rules` definitions are composed of `if:` conditions and `changes:` patterns,
+which are also defined in
+<https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/rules.gitlab-ci.yml>
+and included in `rules` definitions via [YAML anchors](../ci/yaml/README.md#anchors)
+
+### `if:` conditions
+
+| `if:` conditions | Description | Notes |
+|------------------|-------------|-------|
+| `if-not-canonical-namespace`                                 | Matches if the project isn't in the canonical (`gitlab-org/`) or security (`gitlab-org/security`) namespace. | Use to create a job for forks (by using `when: on_success\|manual`), or **not** create a job for forks (by using `when: never`). |
+| `if-not-ee`                                                  | Matches if the project isn't EE (i.e. project name isn't `gitlab` or `gitlab-ee`). | Use to create a job only in the FOSS project (by using `when: on_success|manual`), or **not** create a job if the project is EE (by using `when: never`). |
+| `if-not-foss`                                                | Matches if the project isn't FOSS (i.e. project name isn't `gitlab-foss`, `gitlab-ce`, or `gitlabhq`). | Use to create a job only in the EE project (by using `when: on_success|manual`), or **not** create a job if the project is FOSS (by using `when: never`). |
+| `if-default-refs`                                            | Matches if the pipeline is for `master`, `/^[\d-]+-stable(-ee)?$/` (stable branches), `/^\d+-\d+-auto-deploy-\d+$/` (auto-deploy branches), `/^security\//` (security branches), merge requests, and tags. | Note that jobs won't be created for branches with this default configuration. |
+| `if-master-refs`                                             | Matches if the current branch is `master`. | |
+| `if-master-or-tag`                                           | Matches if the pipeline is for the `master` branch or for a tag. | |
+| `if-merge-request`                                           | Matches if the pipeline is for a merge request. | |
+| `if-dot-com-gitlab-org-schedule`                             | Limits jobs creation to scheduled pipelines for the `gitlab-org` group on GitLab.com. | |
+| `if-dot-com-gitlab-org-master`                               | Limits jobs creation to the `master` branch for the `gitlab-org` group on GitLab.com. | |
+| `if-dot-com-gitlab-org-merge-request`                        | Limits jobs creation to merge requests for the `gitlab-org` group on GitLab.com. | |
+| `if-dot-com-gitlab-org-and-security-tag`                     | Limits job creation to tags for the `gitlab-org` and `gitlab-org/security` groups on GitLab.com. | |
+| `if-dot-com-gitlab-org-and-security-merge-request`           | Limit jobs creation to merge requests for the `gitlab-org` and `gitlab-org/security` groups on GitLab.com. | |
+| `if-dot-com-ee-schedule`                                     | Limits jobs to scheduled pipelines for the `gitlab-org/gitlab` project on GitLab.com. | |
+| `if-cache-credentials-schedule`                              | Limits jobs to scheduled pipelines with the `$CI_REPO_CACHE_CREDENTIALS` variable set. | |
+
+### `changes:` patterns
+
+| `changes:` patterns          | Description                                                              |
+|------------------------------|--------------------------------------------------------------------------|
+| `yaml-patterns`              | Only create job for YAML-related changes.                                |
+| `docs-patterns`              | Only create job for docs-related changes.                                |
+| `backstage-patterns`         | Only create job for backstage-related changes.                           |
+| `code-patterns`              | Only create job for code-related changes.                                |
+| `qa-patterns`                | Only create job for QA-related changes.                                  |
+| `code-backstage-patterns`    | Combination of `code-patterns` and `backstage-patterns`.                 |
+| `code-qa-patterns`           | Combination of `code-patterns` and `qa-patterns`.                        |
+| `code-backstage-qa-patterns` | Combination of `code-patterns`, `backstage-patterns`, and `qa-patterns`. |

 ## Directed acyclic graph

@@ -254,11 +136,11 @@ graph RL;
  F[build-qa-image];
  G[review-deploy];
  I["karma, jest, webpack-dev-server, static-analysis"];
-  I2["karma-foss, jest-foss<br/>(EE default refs only)"];
+  I2["karma-as-if-foss, jest-as-if-foss<br/>(EE default refs only)"];
  J["compile-assets pull-push-cache<br/>(master only)"];
-  J2["compile-assets pull-push-cache foss<br/>(EE master only)"];
+  J2["compile-assets pull-push-cache as-if-foss<br/>(EE master only)"];
  K[compile-assets pull-cache];
-  K2["compile-assets pull-cache foss<br/>(EE default refs only)"];
+  K2["compile-assets pull-cache as-if-foss<br/>(EE default refs only)"];
  M[coverage];
  N["pages (master only)"];
  Q[package-and-qa];