Add latest changes from gitlab-org/gitlab@18-1-stable-ee

.gitlab/ci/release-environments/security.gitlab-ci.yml

@@ -22,6 +22,9 @@ stages:
       - GIT_DEPTH
       - GIT_STRATEGY
 
+.ruby-image:
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/ci/${BUILD_OS}-${OS_VERSION}-slim-ruby-${RUBY_VERSION}:rubygems-${RUBYGEMS_VERSION}-git-${GIT_VERSION}
+
 workflow:
   auto_cancel:
     on_new_commit: none
@@ -39,6 +42,69 @@ release-environments-build-cng:
   variables:
     IMAGE_TAG_EXT: "-${CI_COMMIT_SHORT_SHA}"
 
+release-environments-build-omnibus-env:
+  stage: prepare
+  extends:
+    - .ruby-image
+  variables:
+    BUILD_ENV: build.env
+  before_script:
+    - source scripts/utils.sh
+  script:
+    - SECURITY_SOURCES=$([[ ! "$CI_PROJECT_NAMESPACE" =~ ^gitlab-org\/security ]] || echo "true")
+    - echo "SECURITY_SOURCES=${SECURITY_SOURCES:-false}" > $BUILD_ENV
+    - for version_file in *_VERSION; do echo "$version_file=$(cat $version_file)" >> $BUILD_ENV; done
+    - ruby -e 'puts "FULL_RUBY_VERSION=#{RUBY_VERSION}"' >> $BUILD_ENV
+    - echo "SHORT_RUBY_VERSION=${RUBY_VERSION}" >> $BUILD_ENV
+    - echo "GITLAB_ASSETS_TAG=${GLCI_ASSETS_IMAGE_TAG}" >> $BUILD_ENV
+    - echo "EE=$([[ $FOSS_ONLY == '1' ]] && echo 'false' || echo 'true')" >> $BUILD_ENV
+    - define_trigger_branch_in_build_env
+    - echo "Built environment file for omnibus build:"
+    - cat $BUILD_ENV
+  artifacts:
+    expire_in: 3 days
+    reports:
+      dotenv: $BUILD_ENV
+    paths:
+      - $BUILD_ENV
+  # As we are testing, GitLab Omnibus build is allowed to fail
+  # https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/21244
+  allow_failure: true
+
+release-environments-build-omnibus:
+  stage: prepare
+  needs:
+    - release-environments-build-omnibus-env
+  inherit:
+    variables: false
+  variables:
+    GITALY_SERVER_VERSION: $GITALY_SERVER_VERSION
+    GITLAB_ELASTICSEARCH_INDEXER_VERSION: $GITLAB_ELASTICSEARCH_INDEXER_VERSION
+    GITLAB_KAS_VERSION: $GITLAB_KAS_VERSION
+    GITLAB_PAGES_VERSION: $GITLAB_PAGES_VERSION
+    GITLAB_SHELL_VERSION: $GITLAB_SHELL_VERSION
+    GITLAB_WORKHORSE_VERSION: $GITLAB_WORKHORSE_VERSION
+    GITLAB_VERSION: $CI_COMMIT_SHA
+    GITLAB_ASSETS_TAG: $GITLAB_ASSETS_TAG
+    IMAGE_TAG: "${CI_COMMIT_SHA}-ruby${SHORT_RUBY_VERSION}"
+    TOP_UPSTREAM_SOURCE_PROJECT: $CI_PROJECT_PATH
+    SECURITY_SOURCES: $SECURITY_SOURCES
+    USE_SPECIFIED_RUBY_VERSION: "true"
+    RUBY_VERSION: $FULL_RUBY_VERSION
+    ee: $EE
+    RELEASE_ENVIRONMENT_BUILD: "true"
+    PARENT_CI_PIPELINE_ID: $CI_PIPELINE_ID
+    PARENT_CI_COMMIT_SHORT_SHA: $CI_COMMIT_SHORT_SHA
+  trigger:
+    project: gitlab-org/security/omnibus-gitlab
+    branch: $TRIGGER_BRANCH
+    strategy: depend
+    inputs:
+      skip_qa_test: true
+  # As we are testing, GitLab Omnibus build is allowed to fail
+  # https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/21244
+  allow_failure: true
+
 release-environments-deploy-env:
   stage: prepare
   needs: ["release-environments-build-cng"]

scripts/release_environment/construct-release-environments-versions.rb

@@ -46,6 +46,25 @@ class ReleaseEnvironmentsModel
     @image_tag ||= "#{environment_base}-#{ENV['CI_COMMIT_SHORT_SHA']}"
   end
 
+  def omnibus_package_version
+    # Omnibus package name has the syntax <branch>-<pipeline-id>-<short-commit-id>
+    # e.g. 16.2+stable.12345.abc123
+    converted_branch_name = security_omnibus_stable_branch.gsub(/(\d+)-(\d+)-stable/, '\1.\2+stable')
+    "#{converted_branch_name}.#{ENV['CI_PIPELINE_ID']}.#{ENV['CI_COMMIT_SHORT_SHA']}"
+  end
+
+  def write_deploy_env_file
+    raise "Missing required environment variable." unless set_required_env_vars?
+
+    File.open(ENV['DEPLOY_ENV'], 'w') do |file|
+      file.puts "ENVIRONMENT=#{environment}"
+      file.puts "VERSIONS=#{generate_json}"
+      file.puts "OMNIBUS_PACKAGE_VERSION=#{omnibus_package_version}"
+    end
+
+    puts File.read(ENV['DEPLOY_ENV'])
+  end
+
   private
 
   # This is to generate the environment name without "-security". It is used by the image tag
@@ -64,19 +83,18 @@ class ReleaseEnvironmentsModel
   def security_project?
     ENV['CI_PROJECT_PATH'] == "gitlab-org/security/gitlab"
   end
+
+  # Omnibus security stable branch has no -ee suffix
+  def security_omnibus_stable_branch
+    ENV['CI_COMMIT_BRANCH'].gsub("-ee", "")
+  end
 end
 
 # Outputs in `dotenv` format the ENVIRONMENT and VERSIONS to pass to release environments e.g.
 # ENVIRONMENT=15-10-stable(-security)
 # VERSIONS={"gitaly":"15-10-stable-c7c5131c","registry":"15-10-stable-c7c5131c","kas":"15-10-stable-c7c5131c", ...
+# OMNIBUS_PACKAGE_VERSION=15.10+stable.12345.c7c5131c
 if $PROGRAM_NAME == __FILE__
   model = ReleaseEnvironmentsModel.new
-  raise "Missing required environment variable." unless model.set_required_env_vars?
-
-  File.open(ENV['DEPLOY_ENV'], 'w') do |file|
-    file.puts "ENVIRONMENT=#{model.environment}"
-    file.puts "VERSIONS=#{model.generate_json}"
-  end
-
-  puts File.read(ENV['DEPLOY_ENV'])
+  model.write_deploy_env_file
 end

spec/scripts/release_environment/release_environments_model_spec.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'fast_spec_helper'
+require 'tempfile'
 require_relative '../../../scripts/release_environment/construct-release-environments-versions'
 
 RSpec.describe ReleaseEnvironmentsModel, feature_category: :delivery do
@@ -35,7 +36,7 @@ RSpec.describe ReleaseEnvironmentsModel, feature_category: :delivery do
 
     context 'when required env vars are missing' do
       it 'returns false' do
-        ENV.delete('DEPLOY_ENV')
+        stub_env('DEPLOY_ENV', nil)
         expect(model.set_required_env_vars?).to be false
       end
     end
@@ -80,4 +81,52 @@ RSpec.describe ReleaseEnvironmentsModel, feature_category: :delivery do
       end
     end
   end
+
+  describe '#omnibus_package_version' do
+    it 'generates the correct omnibus package name' do
+      stub_env('CI_COMMIT_BRANCH', '15-10-stable-ee')
+      stub_env('CI_PIPELINE_ID', '12345')
+      stub_env('CI_COMMIT_SHORT_SHA', 'abcdef')
+
+      expected_package = '15.10+stable.12345.abcdef'
+      expect(model.omnibus_package_version).to eq(expected_package)
+    end
+  end
+
+  describe '#write_deploy_env_file' do
+    let(:temp_file) { Tempfile.new('deploy_env_test') }
+
+    before do
+      stub_env('DEPLOY_ENV', temp_file.path)
+      stub_env('CI_COMMIT_SHORT_SHA', 'abc123')
+      stub_env('CI_COMMIT_REF_NAME', '16-0-stable-ee')
+      stub_env('CI_PROJECT_PATH', 'gitlab-org/gitlab')
+      stub_env('CI_PIPELINE_ID', '98765')
+      stub_env('CI_COMMIT_BRANCH', '16-0-stable-ee')
+    end
+
+    after do
+      temp_file.close
+      temp_file.unlink
+    end
+
+    context 'when all env vars are present' do
+      it 'writes the correct content to the DEPLOY_ENV file' do
+        expect { model.write_deploy_env_file }.to output(/ENVIRONMENT=16-0-stable/).to_stdout
+
+        content = File.read(temp_file.path)
+        expect(content).to include('ENVIRONMENT=16-0-stable')
+        expect(content).to include('VERSIONS={"gitaly":"16-0-stable-abc123"')
+        expect(content).to include('OMNIBUS_PACKAGE_VERSION=16.0+stable.98765.abc123')
+      end
+    end
+
+    context 'when required env vars are missing' do
+      it 'raises an error' do
+        stub_env('DEPLOY_ENV', nil)
+
+        expect { model.write_deploy_env_file }.to raise_error(RuntimeError, "Missing required environment variable.")
+      end
+    end
+  end
 end