Add latest changes from gitlab-org/gitlab@master

app/assets/stylesheets/framework/sidebar.scss

@@ -84,6 +84,12 @@
 
 .right-sidebar {
   border-left: 1px solid $border-color;
+
+  .sidebar-container,
+  .issuable-sidebar {
+    // Add 100px so that potentially visible vertical scroll bar is hidden
+    width: calc(100% + 100px);
+  }
 }
 
 .with-performance-bar .right-sidebar.affix {
@@ -129,7 +135,6 @@
 
   .issuable-sidebar {
     padding: 0 3px;
-    width: calc(100% + 35px);
   }
 }
 

app/assets/stylesheets/pages/builds.scss

@@ -176,7 +176,6 @@
   }
 
   .sidebar-container {
-    width: calc(100% + 100px);
     padding-right: 100px;
     height: 100%;
     overflow-y: scroll;

app/assets/stylesheets/pages/issuable.scss

@@ -309,7 +309,6 @@
   }
 
   .issuable-sidebar {
-    width: 100%;
     height: 100%;
     overflow-y: scroll;
     overflow-x: hidden;

app/assets/stylesheets/pages/wiki.scss

@@ -80,7 +80,6 @@
 
   .sidebar-container {
     padding: $gl-padding 0;
-    width: calc(100% + 100px);
     padding-right: 100px;
     height: 100%;
     overflow-y: scroll;

changelogs/unreleased/196226-rightsidebar-collapsed-always-on-scrollbar.yml

+---
+title: Fix right sidebar when scrollbars are always visible
+merge_request: 27314
+author: Shawn @CasualBot
+type: fixed

changelogs/unreleased/212526-oauth-orphan-check.yml

+---
+title: Fix Gitlab::Auth to handle orphaned oauth tokens
+merge_request: 28159
+author:
+type: fixed

changelogs/unreleased/dockerfile_swift_template.yml

+---
+title: "Add Swift Dockerfile to GitLab templates"
+merge_request: 28035
+author:
+type: added

danger/changelog/Dangerfile

@@ -28,7 +28,7 @@ def check_changelog_yaml(path)
 
   if yaml["merge_request"].nil? && !helper.security_mr?
     message "Consider setting `merge_request` to #{gitlab.mr_json["iid"]} in #{gitlab.html_link(path)}. #{SEE_DOC}"
-  elsif yaml["merge_request"] != gitlab.mr_json["iid"]
+  elsif yaml["merge_request"] != gitlab.mr_json["iid"] && !helper.security_mr?
     fail "Merge request ID was not set to #{gitlab.mr_json["iid"]}! #{SEE_DOC}"
   end
 rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias

doc/api/templates/dockerfiles.md

@@ -91,6 +91,10 @@ Example response:
   {
     "key": "Ruby-alpine",
     "name": "Ruby-alpine"
+  },
+  {
+    "key": "Swift",
+    "name": "Swift"
   }
 ]
 ```

lib/gitlab/auth.rb

@@ -164,20 +164,18 @@ module Gitlab
         Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
       end
 
-      # rubocop: disable CodeReuse/ActiveRecord
       def oauth_access_token_check(login, password)
         if login == "oauth2" && password.present?
           token = Doorkeeper::AccessToken.by_token(password)
 
           if valid_oauth_token?(token)
-            user = User.find_by(id: token.resource_owner_id)
-            return unless user.can?(:log_in)
+            user = User.id_in(token.resource_owner_id).first
+            return unless user&.can?(:log_in)
 
             Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
           end
         end
       end
-      # rubocop: enable CodeReuse/ActiveRecord
 
       def personal_access_token_check(password)
         return unless password.present?

qa/qa/specs/features/browser_ui/6_release/pipeline/parent_child_pipelines_dependent_relationship_spec.rb

+# frozen_string_literal: true
+
+module QA
+  context 'Release', :docker, quarantine: { type: :new } do
+    describe 'Parent-child pipelines dependent relationship' do
+      let!(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'pipelines-dependent-relationship'
+        end
+      end
+      let!(:runner) do
+        Resource::Runner.fabricate_via_api! do |runner|
+          runner.project = project
+          runner.name = project.name
+          runner.tags = ["#{project.name}"]
+        end
+      end
+
+      before do
+        Flow::Login.sign_in
+      end
+
+      after do
+        runner.remove_via_api!
+      end
+
+      it 'parent pipelines passes if child passes' do
+        add_ci_files(success_child_ci_file)
+        view_pipelines
+
+        Page::Project::Pipeline::Show.perform do |parent_pipeline|
+          parent_pipeline.click_linked_job(project.name)
+
+          expect(parent_pipeline).to have_job("child_job")
+          expect(parent_pipeline).to be_passed
+        end
+      end
+
+      it 'parent pipeline fails if child fails' do
+        add_ci_files(fail_child_ci_file)
+        view_pipelines
+
+        Page::Project::Pipeline::Show.perform do |parent_pipeline|
+          parent_pipeline.click_linked_job(project.name)
+
+          expect(parent_pipeline).to have_job("child_job")
+          expect(parent_pipeline).to be_failed
+        end
+      end
+
+      private
+
+      def view_pipelines
+        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
+        Page::Project::Pipeline::Index.perform(&:wait_for_latest_pipeline_completion)
+        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
+      end
+
+      def success_child_ci_file
+        {
+          file_path: '.child-ci.yml',
+          content: <<~YAML
+            child_job:
+              stage: test
+              tags: ["#{project.name}"]
+              script: echo "Child job done!"
+
+          YAML
+        }
+      end
+
+      def fail_child_ci_file
+        {
+          file_path: '.child-ci.yml',
+          content: <<~YAML
+            child_job:
+              stage: test
+              tags: ["#{project.name}"]
+              script: exit 1
+
+          YAML
+        }
+      end
+
+      def parent_ci_file
+        {
+          file_path: '.gitlab-ci.yml',
+          content: <<~YAML
+            stages:
+              - test
+              - deploy
+
+            job1:
+              stage: test
+              trigger:
+                include: ".child-ci.yml"
+                strategy: depend
+
+            job2:
+              stage: deploy
+              tags: ["#{project.name}"]
+              script: echo "parent deploy done"
+
+          YAML
+        }
+      end
+
+      def add_ci_files(child_ci_file)
+        Resource::Repository::Commit.fabricate_via_api! do |commit|
+          commit.project = project
+          commit.commit_message = 'Add parent and child pipelines CI files.'
+          commit.add_files(
+            [
+              child_ci_file,
+              parent_ci_file
+            ]
+          )
+        end.project.visit!
+      end
+    end
+  end
+end

qa/qa/specs/features/browser_ui/6_release/pipeline/parent_child_pipelines_independent_relationship_spec.rb

+# frozen_string_literal: true
+
+module QA
+  context 'Release', :docker, quarantine: { type: :new } do
+    describe 'Parent-child pipelines independent relationship' do
+      let!(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'pipeline-independent-relationship'
+        end
+      end
+      let!(:runner) do
+        Resource::Runner.fabricate_via_api! do |runner|
+          runner.project = project
+          runner.name = project.name
+          runner.tags = ["#{project.name}"]
+        end
+      end
+
+      before do
+        Flow::Login.sign_in
+      end
+
+      after do
+        runner.remove_via_api!
+      end
+
+      it 'parent pipelines passes if child passes' do
+        add_ci_files(success_child_ci_file)
+        view_pipelines
+
+        Page::Project::Pipeline::Show.perform do |parent_pipeline|
+          parent_pipeline.click_linked_job(project.name)
+
+          expect(parent_pipeline).to have_job("child_job")
+          expect(parent_pipeline).to be_passed
+        end
+      end
+
+      it 'parent pipeline passes even if child fails' do
+        add_ci_files(fail_child_ci_file)
+        view_pipelines
+
+        Page::Project::Pipeline::Show.perform do |parent_pipeline|
+          parent_pipeline.click_linked_job(project.name)
+
+          expect(parent_pipeline).to have_job("child_job")
+          expect(parent_pipeline).to be_passed
+        end
+      end
+
+      private
+
+      def view_pipelines
+        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
+        Page::Project::Pipeline::Index.perform(&:wait_for_latest_pipeline_completion)
+        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
+      end
+
+      def success_child_ci_file
+        {
+          file_path: '.child-ci.yml',
+          content: <<~YAML
+            child_job:
+              stage: test
+              tags: ["#{project.name}"]
+              script: echo "Child job done!"
+
+          YAML
+        }
+      end
+
+      def fail_child_ci_file
+        {
+          file_path: '.child-ci.yml',
+          content: <<~YAML
+            child_job:
+              stage: test
+              tags: ["#{project.name}"]
+              script: exit 1
+
+          YAML
+        }
+      end
+
+      def parent_ci_file
+        {
+          file_path: '.gitlab-ci.yml',
+          content: <<~YAML
+            stages:
+              - test
+              - deploy
+
+            job1:
+              stage: test
+              trigger:
+                include: ".child-ci.yml"
+
+            job2:
+              stage: deploy
+              tags: ["#{project.name}"]
+              script: echo "parent deploy done"
+
+          YAML
+        }
+      end
+
+      def add_ci_files(child_ci_file)
+        Resource::Repository::Commit.fabricate_via_api! do |commit|
+          commit.project = project
+          commit.commit_message = 'Add parent and child pipelines CI files.'
+          commit.add_files(
+            [
+              child_ci_file,
+              parent_ci_file
+            ]
+          )
+        end.project.visit!
+      end
+    end
+  end
+end

spec/lib/gitlab/auth_spec.rb

@@ -250,6 +250,13 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
       let(:token_w_api_scope) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') }
       let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }
 
+      shared_examples 'an oauth failure' do
+        it 'fails' do
+          expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip'))
+            .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+        end
+      end
+
       it 'succeeds for OAuth tokens with the `api` scope' do
         expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, described_class.full_authentication_abilities))
       end
@@ -269,10 +276,15 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
       context 'blocked user' do
         let(:user) { create(:user, :blocked) }
 
-        it 'fails' do
-          expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip'))
-            .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil))
+        it_behaves_like 'an oauth failure'
+      end
+
+      context 'orphaned token' do
+        before do
+          user.destroy
         end
+
+        it_behaves_like 'an oauth failure'
       end
     end
 

vendor/Dockerfile/Swift.Dockerfile

+FROM swift:5.0 as builder
+
+WORKDIR /src
+COPY . .
+RUN swift build -c release
+
+FROM swift:5.0-slim
+
+WORKDIR /src
+COPY --from=builder /src .
+EXPOSE 8080
+
+CMD [ ".build/release/app"]