Jacob Vosmaer authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

This reverts commit 4f0c3682.

Patrick Bajao authored 4 years ago and Matthias Käppler committed 4 years ago

This reverts commit 4f0c3682.

Changes:

- Support Git HTTP on toplevel repositories
  gitlab-workhorse!670
- Update GoCloud to v0.21.1+
  gitlab-workhorse!675
- Allow blank S3 regions to be used
  gitlab-workhorse!677

Matthias Käppler authored 4 years ago and Alessio Caiazza committed 4 years ago

too long method name results in too long
prometheus label name, which can crash prometheus

Vladimir Shushlin authored 4 years ago and Mayra Cabrera committed 4 years ago

too long method name results in too long
prometheus label name, which can crash prometheus

Changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

- Support alternate document root directory
  gitlab-org/gitlab-workhorse!626

- Fix uploader not returning 413 when artifact too large
  gitlab-org/gitlab-workhorse!663
- Auto-register Prometheus metrics
  gitlab-org/gitlab-workhorse!660

- Do not resize when image is less than 8 bytes
  gitlab-org/gitlab-workhorse!666

Sean Arnold authored 4 years ago and Alessio Caiazza committed 4 years ago

Workhorse version bump to v8.55.0 to support direct_upload on the new API endpoint

Full list of changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

This brings in
gitlab-workhorse!619,
which updates Gitaly's latest Protocol Buffer definitions. This is
needed to support a new flag (`IncludeLfsBlobs`) in the
`GetArchiveRequest` RPC for
#15079.

This brings in support for Azure custom storage domains:
gitlab-org/gitlab-workhorse!593

This fixes a critical regression which happens when no
`[object_storage]` config is defined in `config.toml`.

This adds Azure Blob Storage support. Full list of changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

This updates Workhorse to v8.39.0 to fix an issue with
`gitlab-zip-metadata`.

This relates to gitlab-org/gitlab#223806.

Full list of Workhorse changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

This adds support for adding S3 encryption headers to uploads. Full list
of changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

Updates GITLAB_WORKHORSE_VERSION to latest version that includes
LSIF references support behind `code_navigation_references`
feature flag.

This fixes a ZIP download issue with some S3 providers
(gitlab-org/gitlab-workhorse!508)
and adds support for uploading files directly via an S3 client inside
Workhorse.

Full list of changes:
https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/CHANGELOG

That's done in order to tell Workhorse whether Lsif artifact
should be parsed

The attack is outlined in
gitlab-org/gitlab#213139. It exploits the
fact that the artifacts endpoint reads `file.path` directly using
`UploadedFile.from_params`.

`file.path` can be given by the user and pass through workhorse. As
such, it's an untrusted source and could contain the path of any file in
`Dir.tmpdir`. This results in creating a `Ci::JobArtifact` pointing to
an arbitrary temporary file.

To counter this, this commit relies on the fact that the upload endpoint
deals with a multipart upload. This type of uploads are handled by
`Gitlab::Middleware::Multipart` which will read the upload file from a
trusted source (the workhorse JWT token) and build a `UploadedFile`
object out of it. Thus, in the Grape endpoint, we can simply read the
param directly and validate that it's an `UploadedFile`.

This enables support for proxying ActionCable connections