Add latest changes from gitlab-org/gitlab@master

changelogs/unreleased/phillab-patch-29.yml

+---
+title: Increase pipeline email notification from 10 to 30 lines
+merge_request: 21728
+author: Philipp Hasper
+type: changed

changelogs/unreleased/youtrack-issue-pattern.yml

+---
+title: Avoid autolinking YouTrack issue numbers followed by letters
+merge_request: 24770
+author: Konrad Borowski
+type: fixed

danger/roulette/Dangerfile

@@ -68,11 +68,9 @@ categories = changes.keys - [:unknown]
 # Ensure to spin for database reviewer/maintainer when ~database is applied (e.g. to review SQL queries)
 categories << :database if gitlab.mr_labels.include?('database') && !categories.include?(:database)
-# Single codebase MRs are reviewed using a slightly different process, so we
-# disable the review roulette for such MRs.
 # CSS Clean up MRs are reviewed using a slightly different process, so we
 # disable the review roulette for such MRs.
-if changes.any? && !gitlab.mr_labels.include?('single codebase') && !gitlab.mr_labels.include?('CSS cleanup')
+if changes.any? && !gitlab.mr_labels.include?('CSS cleanup')
   # Strip leading and trailing CE/EE markers
   canonical_branch_name =
     roulette.canonical_branch_name(gitlab.mr_json['source_branch'])

danger/single_codebase/Dangerfile

-FRONTEND_MAINTAINERS = %w[filipa iamphill].freeze
-BACKEND_MAINTAINERS = %w[rspeicher rymai yorickpeterse godfat].freeze
-NO_REVIEWER = 'No reviewer available'.freeze
-
-def mention_single_codebase_approvers
-  canonical_branch_name =
-    roulette.canonical_branch_name(gitlab.mr_json['source_branch'])
-
-  random = roulette.new_random(canonical_branch_name)
-
-  frontend_maintainers = helper.new_teammates(FRONTEND_MAINTAINERS)
-  backend_maintainers = helper.new_teammates(BACKEND_MAINTAINERS)
-
-  rows = []
-
-  if gitlab.mr_labels.include?('frontend')
-    frontend_maintainer =
-      roulette.spin_for_person(frontend_maintainers, random: random)
-
-    rows << "| ~frontend | #{frontend_maintainer&.markdown_name || NO_REVIEWER}"
-  end
-
-  if gitlab.mr_labels.include?('backend')
-    backend_maintainer =
-      roulette.spin_for_person(backend_maintainers, random: random)
-
-    rows << "| ~backend | #{backend_maintainer&.markdown_name || NO_REVIEWER}"
-  end
-
-  if rows.empty?
-    backup_maintainer = backend_maintainers.sample
-
-    rows << "| ~frontend / ~backend | #{backup_maintainer.markdown_name}"
-  end
-
-  markdown(<<~MARKDOWN.strip)
-    ## Single codebase changes
-
-    This merge request contains changes related to the work of moving towards a
-    [single codebase](https://gitlab.com/groups/gitlab-org/-/epics/802) for
-    Community Edition and Enterprise Edition. These changes will need to be
-    reviewed and approved by the following engineers:
-
-    | Category | Reviewer
-    |----------|---------
-    #{rows.join("\n")}
-
-    To make sure this happens, please follow these steps:
-
-    1. Add all of the mentioned users to the list of merge request approvals.
-    2. Assign the merge request to the first person in the above list.
-
-    If you are a reviewer, please follow these steps:
-
-    1. Review the merge request. If it is good to go, approve it.
-    2. Once approved, assign to the next person in the above list. If you are
-       the last person in the list, merge the merge request.
-  MARKDOWN
-end
-
-if gitlab.mr_labels.include?('single codebase')
-  mention_single_codebase_approvers
-end

db/migrate/20200114140305_add_fields_to_application_settings_for_merge_requests_approvals.rb

+# frozen_string_literal: true
+
+class AddFieldsToApplicationSettingsForMergeRequestsApprovals < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def up
+    add_column(:application_settings,
+                :disable_overriding_approvers_per_merge_request,
+                :boolean,
+                default: false,
+                null: false)
+    add_column(:application_settings,
+                :prevent_merge_requests_author_approval,
+                :boolean,
+                default: false,
+                null: false)
+    add_column(:application_settings,
+                :prevent_merge_requests_committers_approval,
+                :boolean,
+                default: false,
+                null: false)
+  end
+
+  def down
+    remove_column(:application_settings, :disable_overriding_approvers_per_merge_request)
+    remove_column(:application_settings, :prevent_merge_requests_author_approval)
+    remove_column(:application_settings, :prevent_merge_requests_committers_approval)
+  end
+end

db/migrate/20200210135504_remove_packages_deprecated_dependencies.rb

+# frozen_string_literal: true
+
+class RemovePackagesDeprecatedDependencies < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def up
+    execute('DELETE FROM packages_dependency_links WHERE dependency_type = 5')
+  end
+
+  def down
+    # There is nothing to do to reverse this migration
+  end
+end

db/schema.rb

@@ -346,6 +346,9 @@ ActiveRecord::Schema.define(version: 2020_02_13_204737) do
     t.integer "elasticsearch_indexed_field_length_limit", default: 0, null: false
     t.integer "elasticsearch_max_bulk_size_mb", limit: 2, default: 10, null: false
     t.integer "elasticsearch_max_bulk_concurrency", limit: 2, default: 10, null: false
+    t.boolean "disable_overriding_approvers_per_merge_request", default: false, null: false
+    t.boolean "prevent_merge_requests_author_approval", default: false, null: false
+    t.boolean "prevent_merge_requests_committers_approval", default: false, null: false
     t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id"
     t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id"
     t.index ["instance_administration_project_id"], name: "index_applicationsettings_on_instance_administration_project_id"

doc/api/groups.md

@@ -798,7 +798,7 @@ DELETE /groups/:id/hooks/:hook_id
 Group audit events can be accessed via the [Group Audit Events API](audit_events.md#group-audit-events-starter)
-## Sync group with LDAP **(CORE ONLY)**
+## Sync group with LDAP **(STARTER)**
 Syncs the group with its linked LDAP group. Only available to group owners and administrators.
@@ -814,7 +814,23 @@ Parameters:
 Please consult the [Group Members](members.md) documentation.
-### Add LDAP group link **(CORE ONLY)**
+## LDAP Group Links
+
+List, add, and delete LDAP group links.
+
+### List LDAP group links **(STARTER)**
+
+Lists LDAP group links.
+
+```
+GET /groups/:id/ldap_group_links
+```
+
+Parameters:
+
+- `id` (required) - The ID of a group
+
+### Add LDAP group link **(STARTER)**
 Adds an LDAP group link.
@@ -829,7 +845,7 @@ Parameters:
 - `group_access` (required) - Minimum access level for members of the LDAP group
 - `provider` (required) - LDAP provider for the LDAP group
-### Delete LDAP group link **(CORE ONLY)**
+### Delete LDAP group link **(STARTER)**
 Deletes an LDAP group link.

doc/api/users.md

@@ -437,6 +437,19 @@ Note, at the moment this method does only return a `404` error,
 even in cases where a `409` (Conflict) would be more appropriate,
 e.g. when renaming the email address to some existing one.
+## Delete authentication identity from user
+
+Deletes a user's authentication identity using the provider name associated with that identity. Available only for administrators.
+
+```
+DELETE /users/:id/identities/:provider
+```
+
+Parameters:
+
+- `id` (required) - The ID of the user
+- `provider` (required) - External provider name
+
 ## User deletion
 Deletes a user. Available only for administrators.

doc/ci/yaml/README.md

@@ -2248,6 +2248,7 @@ and bring back the old behavior.
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/issues/47063) in GitLab 12.2.
 > - In GitLab 12.3, maximum number of jobs in `needs` array raised from five to 50.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/30631) in GitLab 12.8, `needs: []` lets jobs start immediately.
 The `needs:` keyword enables executing jobs out-of-order, allowing you to implement
 a [directed acyclic graph](../directed_acyclic_graph/index.md) in your `.gitlab-ci.yml`.
@@ -2264,6 +2265,10 @@ linux:build:
 mac:build:
   stage: build
+lint:
+  stage: test
+  needs: []
+
 linux:rspec:
   stage: test
   needs: ["linux:build"]
@@ -2284,7 +2289,9 @@ production:
   stage: deploy
 ```
-This example creates three paths of execution:
+This example creates four paths of execution:
+
+- Linter: the `lint` job will run immediately without waiting for the `build` stage to complete because it has no needs (`needs: []`).
 - Linux path: the `linux:rspec` and `linux:rubocop` jobs will be run as soon
   as the `linux:build` job finishes without waiting for `mac:build` to finish.
@@ -2308,9 +2315,6 @@ This example creates three paths of execution:
   - For self-managed instances, the limit is:
     - 10, if the `ci_dag_limit_needs` feature flag is enabled (default).
     - 50, if the `ci_dag_limit_needs` feature flag is disabled.
-- It is impossible for now to have `needs: []` (empty needs), the job always needs to
-  depend on something, unless this is the job in the first stage. However, support for
-  an empty needs array [is planned](https://gitlab.com/gitlab-org/gitlab/issues/30631).
 - If `needs:` refers to a job that is marked as `parallel:`.
   the current job will depend on all parallel jobs created.
 - `needs:` is similar to `dependencies:` in that it needs to use jobs from prior stages,

doc/user/admin_area/index.md

@@ -28,7 +28,7 @@ The Admin Area is made up of the following sections:
 | Abuse Reports                   | Manage [abuse reports](abuse_reports.md) submitted by your users.                                                                                                                                                                                                                        |
 | License **(STARTER ONLY)**      | Upload, display, and remove [licenses](license.md).                                                                                                                                                                                                                                      |
 | Kubernetes                      | Create and manage instance-level [Kubernetes clusters](../instance/clusters/index.md).                                                                                                                                                                                                   |
-| Push Rules **(STARTER)**        | Configure pre-defined Git [push rules](../../push_rules/push_rules.md) for projects.                                                                                                                                                                                                     |
+Push Rules **(STARTER ONLY)**   | Configure pre-defined Git [push rules](../../push_rules/push_rules.md) for projects. Also, configure [merge requests approvers rules](merge_requests_approvals.md). **(PREMIUM ONLY)**                                                                                                                                                                                                   |
 | Geo **(PREMIUM ONLY)**          | Configure and maintain [Geo nodes](geo_nodes.md).                                                                                                                                                                                                                                        |
 | Deploy Keys                     | Create instance-wide [SSH deploy keys](../../ssh/README.md#deploy-keys).                                                                                                                                                                                                                 |
 | Credentials **(ULTIMATE ONLY)** | View [credentials](credentials_inventory.md) that can be used to access your instance.                                                                                                                                                                                                   |

doc/user/admin_area/merge_requests_approvals.md

+---
+type: reference, concepts
+---
+
+# Instance-level merge request approval rules **(PREMIUM ONLY)**
+
+> Introduced in [GitLab Premium](https://gitlab.com/gitlab-org/gitlab/issues/39060) 12.8.
+
+Merge request approvals rules prevent users overriding certain settings on a project
+level. When configured, only administrators can change these settings on a project level
+if they are enabled at an instance level.
+
+To enable merge request approval rules for an instance:
+
+1. Navigate to **{admin}** **Admin Area >** **{push-rules}** **Push Rules** and expand **Merge
+   requests approvals**.
+1. Set the required rule.
+1. Click **Save changes**.
+
+GitLab administrators can later override these settings in a project’s settings.
+
+## Available rules
+
+Merge request approval rules that can be set at an instance level are:
+
+- **Prevent approval of merge requests by merge request author**. Prevents non-admins
+  from allowing merge request authors to merge their own merge requests in individual
+  projects.
+- **Prevent approval of merge requests by merge request committers**. Prevents
+  non-admins from allowing merge request committers to merge merge requests they were
+  committing to in individual projects.
+- **Prevent users from modifying merge request approvers list**. Prevents non-admins
+  from modifying approvers list in project settings and in individual merge requests.

lib/api/users.rb

@@ -225,6 +225,27 @@ module API
       end
       # rubocop: enable CodeReuse/ActiveRecord
+      desc "Delete a user's identity. Available only for admins" do
+        success Entities::UserWithAdmin
+      end
+      params do
+        requires :id, type: Integer, desc: 'The ID of the user'
+        requires :provider, type: String, desc: 'The external provider'
+      end
+      # rubocop: disable CodeReuse/ActiveRecord
+      delete ":id/identities/:provider" do
+        authenticated_as_admin!
+
+        user = User.find_by(id: params[:id])
+        not_found!('User') unless user
+
+        identity = user.identities.find_by(provider: params[:provider])
+        not_found!('Identity') unless identity
+
+        destroy_conditionally!(identity)
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+
       desc 'Add an SSH key to a specified user. Available only for admins.' do
         success Entities::SSHKey
       end

lib/gitlab/ci/config/entry/needs.rb

@@ -11,12 +11,14 @@ module Gitlab
           include ::Gitlab::Config::Entry::Validatable
           validations do
-            validates :config, presence: true
-
             validate do
               unless config.is_a?(Hash) || config.is_a?(Array)
                 errors.add(:config, 'can only be a Hash or an Array')
               end
+
+              if config.is_a?(Hash) && config.empty?
+                errors.add(:config, 'can not be an empty Hash')
+              end
             end
             validate on: :composed do

lib/gitlab/import_export/group_import_export.yml

@@ -28,8 +28,15 @@ included_attributes:
 excluded_attributes:
   group:
     - :id
+    - :name
+    - :path
+    - :owner_id
+    - :parent_id
+    - :created_at
+    - :updated_at
     - :runners_token
     - :runners_token_encrypted
+    - :saml_discovery_token
 methods:
   labels:

lib/gitlab_danger.rb

@@ -18,7 +18,6 @@ class GitlabDanger
     changelog
     specs
     roulette
-    single_codebase
     gitlab_ui_wg
     ce_ee_vue_templates
   ].freeze

locale/gitlab.pot

@@ -11917,6 +11917,9 @@ msgstr ""
 msgid "Merge requests"
 msgstr ""
+msgid "Merge requests approvals"
+msgstr ""
+
 msgid "Merge requests are a place to propose changes you've made to a project and discuss those changes with others"
 msgstr ""
@@ -14161,6 +14164,9 @@ msgstr ""
 msgid "Prevent users from changing their profile name"
 msgstr ""
+msgid "Prevent users from modifing merge request approvers list"
+msgstr ""
+
 msgid "Preview"
 msgstr ""
@@ -16385,6 +16391,9 @@ msgstr ""
 msgid "Rook"
 msgstr ""
+msgid "Rules that define what git pushes are accepted for a project. All newly created projects will use these settings."
+msgstr ""
+
 msgid "Run CI/CD pipelines for external repositories"
 msgstr ""
@@ -17427,6 +17436,9 @@ msgstr ""
 msgid "Settings"
 msgstr ""
+msgid "Settings to prevent self-approval across all projects in the instance. Only an administrator can modify these settings."
+msgstr ""
+
 msgid "Severity: %{severity}"
 msgstr ""

spec/factories/ci/build_need.rb

@@ -2,7 +2,7 @@
 FactoryBot.define do
   factory :ci_build_need, class: 'Ci::BuildNeed' do
-    build factory: :ci_build
+    build factory: :ci_build, scheduling_type: :dag
     sequence(:name) { |n| "build_#{n}" }
   end
 end

spec/fixtures/lib/gitlab/import_export/group_exports/complex/group.json

 {
   "name": "ymg09t5704clnxnqfgaj2h098gz4r7gyx4wc3fzmlqj1en24zf",
   "path": "ymg09t5704clnxnqfgaj2h098gz4r7gyx4wc3fzmlqj1en24zf",
-  "owner_id": null,
+  "owner_id": 123,
   "created_at": "2019-11-20 17:01:53 UTC",
   "updated_at": "2019-11-20 17:05:44 UTC",
   "description": "Group Description",
@@ -18,7 +18,7 @@
   "ldap_sync_last_successful_update_at": null,
   "ldap_sync_last_sync_at": null,
   "lfs_enabled": null,
-  "parent_id": null,
+  "parent_id": 7,
   "shared_runners_minutes_limit": null,
   "repository_size_limit": null,
   "require_two_factor_authentication": false,
@@ -33,6 +33,8 @@
   "extra_shared_runners_minutes_limit": null,
   "last_ci_minutes_notification_at": null,
   "last_ci_minutes_usage_notification_level": null,
+  "runners_token": "token",
+  "runners_token_encrypted": "encrypted",
   "subgroup_creation_level": 1,
   "emails_disabled": null,
   "max_pages_size": null,

spec/lib/gitlab/import_export/group_tree_restorer_spec.rb

@@ -71,6 +71,44 @@ describe Gitlab::ImportExport::GroupTreeRestorer do
     end
   end
+  context 'excluded attributes' do
+    let!(:source_user) { create(:user, id: 123) }
+    let!(:importer_user) { create(:user) }
+    let(:group) { create(:group) }
+    let(:shared) { Gitlab::ImportExport::Shared.new(group) }
+    let(:group_tree_restorer) { described_class.new(user: importer_user, shared: shared, group: group, group_hash: nil) }
+    let(:group_json) { ActiveSupport::JSON.decode(IO.read(File.join(shared.export_path, 'group.json'))) }
+
+    shared_examples 'excluded attributes' do
+      excluded_attributes = %w[
+        id
+        name
+        path
+        owner_id
+        parent_id
+        created_at
+        updated_at
+        runners_token
+        runners_token_encrypted
+        saml_discovery_token
+      ]
+
+      before do
+        group.add_owner(importer_user)
+
+        setup_import_export_config('group_exports/complex')
+      end
+
+      excluded_attributes.each do |excluded_attribute|
+        it 'does not allow override of excluded attributes' do
+          expect(group_json[excluded_attribute]).not_to eq(group.public_send(excluded_attribute))
+        end
+      end
+    end
+
+    include_examples 'excluded attributes'
+  end
+
   context 'group.json file access check' do
     let(:user) { create(:user) }
     let!(:group) { create(:group, name: 'group2', path: 'group2') }