Add option to disable seperated caches

Changelog: added
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/361643

app/controllers/projects/settings/ci_cd_controller.rb

@@ -87,7 +87,7 @@ module Projects
       def permitted_project_params
         [
           :runners_token, :builds_enabled, :build_allow_git_fetch,
-          :build_timeout_human_readable, :build_coverage_regex, :public_builds,
+          :build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches,
           :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
           auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
           ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]

app/controllers/projects_controller.rb

@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController
       :initialize_with_sast,
       :initialize_with_readme,
       :autoclose_referenced_issues,
+      :ci_separated_caches,
       :suggestion_commit_message,
       :packages_enabled,
       :service_desk_enabled,

app/models/ci/build.rb

@@ -911,6 +911,8 @@ module Ci
         end
       end
 
+      return cache unless project.ci_separated_caches
+
       type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
       cache.map do |entry|
         entry.merge(key: "#{entry[:key]}-#{type_suffix}")

app/models/project.rb

@@ -471,6 +471,7 @@ class Project < ApplicationRecord
   delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
   delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
+  delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
   delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
   delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
   delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,

app/models/project_ci_cd_setting.rb

@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
     allow_nil: true
 
   default_value_for :forward_deployment_enabled, true
+  default_value_for :separated_caches, true
 
   chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
 

app/views/projects/settings/ci_cd/_form.html.haml

 - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
 - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
-- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
 
 .row.gl-mt-3
   .col-lg-12
@@ -24,6 +25,11 @@
             = form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"),
               help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
 
+        .form-group
+          = f.gitlab_ui_checkbox_component :ci_separated_caches,
+            s_("CICD|Use separate caches for protected branches"),
+            help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
+
         .form-group
           = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
           = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'

db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb

+# frozen_string_literal: true
+
+class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
+  enable_lock_retries!
+
+  def change
+    add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
+  end
+end

db/schema_migrations/20220507204024

+8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file

db/structure.sql

@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings (
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
     job_token_scope_enabled boolean DEFAULT false NOT NULL,
-    runner_token_expiration_interval integer
+    runner_token_expiration_interval integer,
+    separated_caches boolean DEFAULT true NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq

doc/ci/caching/index.md

@@ -31,7 +31,7 @@ can't link to files outside it.
 - Subsequent pipelines can use the cache.
 - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
 - Different projects cannot share the cache.
-- Protected and non-protected branches do not share the cache.
+- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
 
 ### Artifacts
 
@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys:
 | `main`      | `main-protected` |
 | `feature`   | `feature-non_protected` |
 
+##### Use the same cache for all branches
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
+
+If you do not want to use [cache key names](#cache-key-names),
+you can have all branches (protected and unprotected) use the same cache.
+
+The cache separation with [cache key names](#cache-key-names) is a security feature
+and should only be disabled in an environment where all users with Developer role are highly trusted.
+
+To use the same cache for all branches:
+
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > CI/CD**.
+1. Expand **General pipelines**.
+1. Clear the **Use separate caches for protected branches** checkbox.
+1. Select **Save changes**.
+
 ### How archiving and extracting works
 
 This example shows two jobs in two consecutive stages:

lib/api/entities/project.rb

@@ -99,6 +99,7 @@ module API
       expose :ci_default_git_depth
       expose :ci_forward_deployment_enabled
       expose :ci_job_token_scope_enabled
+      expose :ci_separated_caches
       expose :public_builds, as: :public_jobs
       expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
         project.build_allow_git_fetch ? 'fetch' : 'clone'

locale/gitlab.pot

@@ -6660,6 +6660,12 @@ msgstr ""
 msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
 msgstr ""
 
+msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
+msgstr ""
+
+msgid "CICD|Use separate caches for protected branches"
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
 

spec/models/ci/build_spec.rb

@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do
             is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
           end
         end
+
+        context 'when separated caches are disabled' do
+          before do
+            allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
+          end
+
+          context 'running on protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(true)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+
+          context 'running on not protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(false)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+        end
       end
 
       context 'when project has jobs_cache_index' do

spec/requests/api/project_attributes.yml

@@ -99,6 +99,7 @@ ci_cd_settings:
     default_git_depth: ci_default_git_depth
     forward_deployment_enabled: ci_forward_deployment_enabled
     job_token_scope_enabled: ci_job_token_scope_enabled
+    separated_caches: ci_separated_caches
 
 build_import_state: # import_state
   unexposed_attributes: