Merge branch '14-10-stable-ee-patch-3' into '14-10-stable-ee'

Prepare 14.10.3-ee release (2nd preparation MR)

See merge request gitlab-org/gitlab!88013

app/controllers/projects/settings/ci_cd_controller.rb

@@ -87,7 +87,7 @@ module Projects
       def permitted_project_params
         [
           :runners_token, :builds_enabled, :build_allow_git_fetch,
-          :build_timeout_human_readable, :build_coverage_regex, :public_builds,
+          :build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches,
           :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
           auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
           ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]

app/controllers/projects_controller.rb

@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController
       :initialize_with_sast,
       :initialize_with_readme,
       :autoclose_referenced_issues,
+      :ci_separated_caches,
       :suggestion_commit_message,
       :packages_enabled,
       :service_desk_enabled,

app/models/ci/build.rb

@@ -911,6 +911,8 @@ module Ci
         end
       end
 
+      return cache unless project.ci_separated_caches
+
       type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
       cache.map do |entry|
         entry.merge(key: "#{entry[:key]}-#{type_suffix}")

app/models/project.rb

@@ -471,6 +471,7 @@ class Project < ApplicationRecord
   delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
   delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
+  delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
   delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
   delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,

app/models/project_ci_cd_setting.rb

@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
     allow_nil: true
 
   default_value_for :forward_deployment_enabled, true
+  default_value_for :separated_caches, true
 
   chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
 

app/views/projects/settings/ci_cd/_form.html.haml

 - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
 - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
-- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
 
 .row.gl-mt-3
   .col-lg-12
@@ -24,6 +25,11 @@
             = form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"),
               help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
 
+        .form-group
+          = f.gitlab_ui_checkbox_component :ci_separated_caches,
+            s_("CICD|Use separate caches for protected branches"),
+            help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
+
         .form-group
           = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
           = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'

db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb

+# frozen_string_literal: true
+
+class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
+  enable_lock_retries!
+
+  def change
+    add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
+  end
+end

db/schema_migrations/20220507204024

+8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file

db/structure.sql

@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings (
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
     job_token_scope_enabled boolean DEFAULT false NOT NULL,
-    runner_token_expiration_interval integer
+    runner_token_expiration_interval integer,
+    separated_caches boolean DEFAULT true NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq

doc/ci/caching/index.md

@@ -31,7 +31,7 @@ can't link to files outside it.
 - Subsequent pipelines can use the cache.
 - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
 - Different projects cannot share the cache.
-- Protected and non-protected branches do not share the cache.
+- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
 
 ### Artifacts
 
@@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep
 If you use cache and artifacts to store the same path in your jobs, the cache might
 be overwritten because caches are restored before artifacts.
 
-### Segregation of caches between protected and non-protected branches
+#### Cache key names
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0.
 
@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys:
 | `main`      | `main-protected` |
 | `feature`   | `feature-non_protected` |
 
+##### Use the same cache for all branches
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
+
+If you do not want to use [cache key names](#cache-key-names),
+you can have all branches (protected and unprotected) use the same cache.
+
+The cache separation with [cache key names](#cache-key-names) is a security feature
+and should only be disabled in an environment where all users with Developer role are highly trusted.
+
+To use the same cache for all branches:
+
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > CI/CD**.
+1. Expand **General pipelines**.
+1. Clear the **Use separate caches for protected branches** checkbox.
+1. Select **Save changes**.
+
 ### How archiving and extracting works
 
 This example shows two jobs in two consecutive stages:

lib/api/entities/project.rb

@@ -99,6 +99,7 @@ module API
       expose :ci_default_git_depth
       expose :ci_forward_deployment_enabled
       expose :ci_job_token_scope_enabled
+      expose :ci_separated_caches
       expose :public_builds, as: :public_jobs
       expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
         project.build_allow_git_fetch ? 'fetch' : 'clone'

locale/gitlab.pot

@@ -6660,6 +6660,12 @@ msgstr ""
 msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
 msgstr ""
 
+msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
+msgstr ""
+
+msgid "CICD|Use separate caches for protected branches"
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
 

spec/models/ci/build_spec.rb

@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do
             is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
           end
         end
+
+        context 'when separated caches are disabled' do
+          before do
+            allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
+          end
+
+          context 'running on protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(true)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+
+          context 'running on not protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(false)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+        end
       end
 
       context 'when project has jobs_cache_index' do

spec/requests/api/project_attributes.yml

@@ -99,6 +99,7 @@ ci_cd_settings:
     default_git_depth: ci_default_git_depth
     forward_deployment_enabled: ci_forward_deployment_enabled
     job_token_scope_enabled: ci_job_token_scope_enabled
+    separated_caches: ci_separated_caches
 
 build_import_state: # import_state
   unexposed_attributes: