diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c5259a30075adddecdc1fb37f3ae93180fb37b53..8e58120dc6f0c9259e5d0acf990c15cf490b6a0c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -264,7 +264,20 @@ include:
- remote: 'https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/-/raw/main/templates/merge_request_pipelines.yml'
rules:
- <<: *if-not-security-canonical-sync
- - local: .gitlab/ci/gitlab-com/*.gitlab-ci.yml
+ - local: .gitlab/ci/includes/gitlab-com/*.gitlab-ci.yml
rules:
- if: '$CI_SERVER_HOST == "gitlab.com"'
- if: '$CI_SERVER_HOST == "jihulab.com"'
+ - local: .gitlab/ci/includes/as-if-jh.gitlab-ci.yml
+ rules:
+ # Only run as-if-jh triggerred pipelines for gitlab.com/gitlab-org/gitlab MRs that don't target stable branches
+ # and that don't have the quarantine or pipeline:expedite labels.
+ - if: '$CI_PROJECT_URL != "https://gitlab.com/gitlab-org/gitlab"'
+ when: never
+ - if: '$CI_MERGE_REQUEST_ID == null'
+ when: never
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee|-jh)?$/'
+ when: never
+ - if: '$CI_MERGE_REQUEST_LABELS =~ /quarantine/ || $CI_MERGE_REQUEST_LABELS =~ /pipeline:expedite/'
+ when: never
+ - when: always
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 6455de5d2e35ed88bd3c7980e03d84589a5cb261..b8a4203f04cd02d3a74503b376e2e7606c63f6d4 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -514,3 +514,8 @@
curl -f --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${url}" --create-dirs --output scripts/utils.sh
- source scripts/utils.sh
- run_timed_command "download_files ${FILES_TO_DOWNLOAD}"
+
+.with_secret:
+ id_tokens:
+ GCP_ID_TOKEN:
+ aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
diff --git a/.gitlab/ci/as-if-jh.gitlab-ci.yml b/.gitlab/ci/includes/as-if-jh.gitlab-ci.yml
similarity index 91%
rename from .gitlab/ci/as-if-jh.gitlab-ci.yml
rename to .gitlab/ci/includes/as-if-jh.gitlab-ci.yml
index 823c7b21148946fb9f5c505b82a18a2759ae27b6..e40fd0f5d2d450bb9907856a0c25b86494ef64cd 100644
--- a/.gitlab/ci/as-if-jh.gitlab-ci.yml
+++ b/.gitlab/ci/includes/as-if-jh.gitlab-ci.yml
@@ -1,7 +1,6 @@
.as-if-jh-sandbox-variables:
variables:
AS_IF_JH_BRANCH: "as-if-jh/${CI_COMMIT_REF_NAME}"
- JH_MIRROR_REPOSITORY: "https://dummy:${ADD_JH_FILES_TOKEN}@gitlab.com/gitlab-org/gitlab-jh-mirrors/gitlab.git"
SANDBOX_REPOSITORY: "https://dummy:${AS_IF_JH_TOKEN}@gitlab.com/gitlab-org-sandbox/gitlab-jh-validation.git"
.shared-as-if-jh:
@@ -14,12 +13,20 @@
add-jh-files:
extends:
- .shared-as-if-jh
+ - .with_secret
- .as-if-jh:rules:prepare-as-if-jh
image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}
stage: prepare
needs: []
+ secrets:
+ ADD_JH_FILES_TOKEN:
+ gcp_secret_manager:
+ name: ADD_JH_FILES_TOKEN
+ token: $GCP_ID_TOKEN
before_script:
- source ./scripts/utils.sh
+ - export ADD_JH_FILES_TOKEN="$(cat ${ADD_JH_FILES_TOKEN})"
+ - export JH_MIRROR_REPOSITORY="https://dummy:${ADD_JH_FILES_TOKEN}@gitlab.com/gitlab-org/gitlab-jh-mirrors/gitlab.git"
- source ./scripts/setup/as-if-jh.sh
- install_gitlab_gem
script:
diff --git a/.gitlab/ci/gitlab-com/danger-review.gitlab-ci.yml b/.gitlab/ci/includes/gitlab-com/danger-review.gitlab-ci.yml
similarity index 100%
rename from .gitlab/ci/gitlab-com/danger-review.gitlab-ci.yml
rename to .gitlab/ci/includes/gitlab-com/danger-review.gitlab-ci.yml
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index b0332025338beafac0208b0387303544defbb7f3..a8317417d02b79a47019d94b5a937e9194d3a3f8 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -623,7 +623,7 @@
- "vendor/assets/javascripts/**/*"
.feature-flag-development-config-patterns: &feature-flag-development-config-patterns
- - "{,ee/,jh/}config/feature_flags/{development,ops}/*.yml"
+ - "{,ee/,jh/}config/feature_flags/**/*.yml"
.glfm-patterns: &glfm-patterns
- ".gitlab/ci/rules.gitlab-ci.yml"
@@ -661,17 +661,6 @@
- <<: *if-jh
when: never
-.as-if-jh-default-exclusion-rules:
- rules:
- - if: '$ADD_JH_FILES_TOKEN == null'
- when: never
- - <<: *if-security-merge-request
- when: never
- - <<: *if-merge-request-targeting-stable-branch
- when: never
- - <<: *if-merge-request-labels-pipeline-expedite
- when: never
-
.rails:rules:run-search-tests:
rules:
- !reference [".rails:rules:default-branch-schedule-nightly--code-backstage-ee-only", rules]
@@ -3179,10 +3168,8 @@
##################
.as-if-jh:rules:prepare-as-if-jh:
rules:
- - !reference [".strict-ee-only-rules", rules]
- - !reference [".as-if-jh-default-exclusion-rules", rules]
- <<: *if-merge-request-labels-as-if-jh
- - <<: *if-dot-com-gitlab-org-merge-request
+ - <<: *if-merge-request
changes: *feature-flag-development-config-patterns
# This rule should share the same logic with .as-if-jh:rules:prepare-as-if-jh
@@ -3204,8 +3191,6 @@
# dependencies changes.
.as-if-jh:rules:sync-as-if-jh:
rules:
- - !reference [".strict-ee-only-rules", rules]
- - !reference [".as-if-jh-default-exclusion-rules", rules]
- <<: *if-merge-request-labels-as-if-jh
changes: *dependency-patterns
# Ideally, we should be able to do this:
@@ -3216,11 +3201,9 @@
# Because the jobs using this need jobs using the preparation rules
.as-if-jh:rules:start-as-if-jh:
rules:
- - !reference [".strict-ee-only-rules", rules]
- - !reference [".as-if-jh-default-exclusion-rules", rules]
- <<: *if-merge-request-labels-as-if-jh
allow_failure: true # See https://gitlab.com/gitlab-org/gitlab/-/issues/351136
- - <<: *if-dot-com-gitlab-org-merge-request
+ - <<: *if-merge-request
changes: *feature-flag-development-config-patterns
allow_failure: true # See https://gitlab.com/gitlab-org/gitlab/-/issues/351136