GitLab 12.6 Release

Entropy requirements for new user passwords

Entropy requirements for new user passwords

Organizations need a way to secure their GitLab instances that aligns with their internal policies and procedures. Part of securing GitLab is enforcing a password policy. GitLab recently updated its own internal password policy guidelines based on NIST SP 800-63B. In this special publication, NIST advises on leveraging password length and complexity, but does not recommend password rotation or even requiring specific complexity rules (e.g. a specific number of special characters).

Using NIST’s guidance, GitLab is introducing a new setting within the Admin Area to specify a minimum password length that applies only to new passwords. This means any new account being created or any password being changed will be required to meet this minimum length requirement. By enabling customers to define a minimum password length, GitLab environments can become more secure and organizations can manage this policy across an instance for reassurance that passwords are compliant with internal policies.

Require rotation of personal access tokens

Require rotation of personal access tokens

Security-minded organizations have historically used regular rotation of credentials to limit the amount of time an attacker has access to a system through a compromised secret. While guidelines from organizations like NIST no longer recommend periodic rotation, we’re adding the ability to enforce regular rotation of personal access tokens due to their inherent lack of 2FA protection, customer demand, and importance in certain compliance frameworks (e.g. PCI).

With this change, an instance administrator can configure a maximum lifetime for generated personal access tokens. Applying a limit will expire existing tokens, which must be regenerated and adhere to the newly applied expiration requirement. After a token’s expiration date has passed, it must be regenerated.

Protect your project data with soft deletion for projects

Protect your project data with soft deletion for projects

Currently, deleting a project in GitLab through the UI or API is immediate, irreversible, and unrecoverable without restoring from a backup. This has the potential to result in unintentional data loss, which is a worst-case scenario for the team.

To reduce this risk, GitLab 12.6 introduces soft deletion for projects. Instead of immediate removal of the project or group, the resource will be marked for deletion and removed after a configurable soft deletion time-frame. While the default time-frame is 7 days, instances wishing to retain immediate deletion can set this to 0.

Disable group mentions

Disable group mentions

Mentioning a group with a large number of members can quickly lead to a high volume of unwanted notifications. To avoid this, you can now enable a group-level setting to prevent members from receiving notifications when the group is mentioned in an issue or merge request.

Thanks @fh1ch and Siemens!

Deduplicate forks of internal projects

Deduplicate forks of internal projects

Forking workflows makes it easy to contribute to any project by creating a copy of the upstream project to work on before opening a merge request to merge your changes into the upstream project. For popular projects, the server-side storage requirements needed for thousands of copies accumulate quickly and increase hosting costs.

In GitLab 12.1, we introduced fork de-duplication for public projects, but many organizations missed out on the benefits because they primarily use internal projects. In GitLab 12.6, creating a fork of public or internal projects creates an object pool (if one doesn’t already exist) and uses objects/info/alternates to reduce the storage requirements of forks.

Thanks Brian Kabiro for your contribution!

Real-time merge request widget updates

Real-time merge request widget updates

Before clicking Merge, if you make a final tiny fix by pushing or applying a suggestion, the merge button is disabled until you reload the page. This slows down the final stages of review when applying the final fixes. In GitLab 12.6, the merge request widget is now updated in real-time so that you can merge immediately or when the pipeline succeeds.

Remove need for client-based authorization with Visual Review Tools

Remove need for client-based authorization with Visual Review Tools

In GitLab 12.0, we introduced Visual Review Tools to allow users to provide feedback on merge requests from the Review App itself.

In GitLab 12.6, we simplified usage of the tool by removing the need to create a personal access token to provide feedback.

Inherited variables are now shown in project view

Inherited variables are now shown in project view

When using a mix of project & group variables, it can be confusing to understand what group variables exist and how they may be related or conflict with project level variables. We have improved this by now showing the group (inherited) variables in the project variables page, making it easy to see what variables are coming from where.

API endpoint to list the packages of a group

API endpoint to list the packages of a group

As part of the GitLab Package Registry, we provide an API, to allow users to view, download, and delete packages. However, until recently the API was limited to a specific project, which prevented users from understanding which packages exist at the group level.

In GitLab 12.6, we are excited to announce a new API endpoint that will allow users to list all packages at the group level.

Edit a release via the Releases page

Edit a release via the Releases page

In GitLab 12.6, we are adding the capability to edit Release titles and notes directly from the user interface, instead of using the GitLab API. This provides a faster and more intuitive method to edit releases.

Control rollout of Feature Flags based on UserID

Control rollout of Feature Flags based on UserID

You can now define different userID targets for your feature flags per environment. The value that is gained here is that with this combination you can target different users on production than staging (or others) which allows you total control on how, where and to whom your Feature Flag will be toggled.

Delete related resources when removing Kubernetes clusters

Delete related resources when removing Kubernetes clusters

Re-using clusters across instances, groups, or projects can be time consuming as operators must ensure that all related cluster resources (such as namespaces, roles, bindings, etc.) are removed from the cluster prior to linking it to a new entity. Often times, operators choose to destroy a cluster and create a new one to avoid manual deletion of resources.

GitLab now provides the ability to remove all the related cluster resources upon removal, making it fast and easy to re-use clusters elsewhere.

Automatically use customized deploy values file in Auto DevOps

Automatically use customized deploy values file in Auto DevOps

Auto DevOps’ Auto-Deploy now allows for bulk configuration of its Helm chart values. By simply adding a .gitlab/auto-deploy-values.yaml file to your project, Auto DevOps will automatically detect it and use its values for deployment. This eliminates the need to create multiple HELM_UPGRADE_EXTRA_ARGS environment variables for your project and has the added benefit of version control.

Cloud Run for Anthos support in GKE Kubernetes clusters

Cloud Run for Anthos support in GKE Kubernetes clusters

When creating a Kubernetes cluster via GitLab’s GKE integration, users can now optionally enable “Cloud Run on Anthos” with a single click. GKE will automatically provision the cluster with Knative serving, Istio, and HTTP load balancing, and Cloud Run will take care of keeping the cluster upgraded. When installed, users can continue to take advantage of the features offered by GitLab Serverless to deploy Knative services with minimal configuration.

Note: We announced Cloud Run for Anthos support in GitLab 12.4, however we had to switch it off later due to compatibility issues. We’ve been working hard to ship a future-proof integration.

Knative 0.9 support

Knative 0.9 support

Starting with GitLab 12.6, when you install Knative as a GitLab Managed App, version 0.9 will be installed. This is a major upgrade in the life of Knative. Knative Serving has received its final v1 API endpoints and is considered to be production ready, but the beta and alpha endpoints are still available. Given the stable API, this upgrade provides some level of forward-compatibility too.

Show recent searches when filtering errors

Show recent searches when filtering errors

You’ve been there. You are troubleshooting an error you found in your application and have to frequently jump back and forth between searches through your error list. Starting in GitLab 12.6, you’ll be able to quickly select recent searches when filtering errors.

Sort error list by first seen, last seen and frequency

Sort error list by first seen, last seen and frequency

Errors are often plentiful, noisy, and challenging to dig through to find the important ones which are impacting your users. Starting in GitLab 12.6, as you view a list of Sentry errors in GitLab, you’ll be able to sort those errors based on frequency and when an error was last and first seen.

Support for PHP added in License Compliance

Support for PHP added in License Compliance

If you are using PHP in your project, you can now use our License Compliance feature. Please note this is at the experimental support level. We added support for PHP, specifically focusing on composer-based projects (using composer.lock).

Dependency Scanning for Java Gradle projects

Dependency Scanning for Java Gradle projects

For users with Java Gradle projects, you can now leverage our Dependency Scanning features.

SAST for Kubernetes manifests

SAST for Kubernetes manifests

Kubernetes manifests can now be checked for sensitive data like secrets and privileges, by using kubesec.

SAST compatible with private dependencies

SAST compatible with private dependencies

Projects that have dependencies that are hosted in a private repository now have a way of propagating authentication credentials for the private repository into the SAST container to have them used by the analyzing command.

Webhook logs now available for CI integrations

Webhook logs now available for CI integrations

To assist users in troubleshooting CI integrations, we’ve added a log of recent events to the integration configuration pages. This log is available on the integrations settings pages for Jenkins, Packagist, Team City, DroneCI, Buildkite, and Bamboo. This new section lists the events that have triggered this integration in the last two days.

This is particularly valuable when you are trying to troubleshoot a failing integration, as previously there was no place in the UI directly where these errors were displayed. Now, you’ll have easy access to understand what has failed (or is currently working!) and why.

Reduce GitLab memory usage with Puma (Experimental)

Reduce GitLab memory usage with Puma (Experimental)

In order to reduce the memory requirements of GitLab, we are migrating to Puma from Unicorn. Puma supports multi-threading, which can reduce the memory footprint of GitLab by about 30%.

Puma support is currently experimental, while we work to enable Puma by default in 13.0. You can try it on a test system today, and report any issues here.

Omnibus improvements

Omnibus improvements

• GitLab 12.6 includes Mattermost 5.17.1, an open source Slack-alternative. This version of Mattermost is focused on quality improvements.

Filter members list for users with direct membership

Filter members list for users with direct membership

There are two ways to gain access to a private project or group: a) being directly added to that specific project or group or b) inheriting a role from a parent group. In GitLab 12.6, we’re making it easier to understand the source of a user’s membership by allowing filtering of the Members table specifically for direct members or inherited members.

This is particularly useful for groups with external users or instances using groups for notifying teams of people.

Simplify user management with Personal Access Token and SSH key inventory

Simplify user management with Personal Access Token and SSH key inventory

As your GitLab self-managed instance grows, so too does your need for compliance controls. As more users, groups, subgroups, and projects are added, your instance becomes inherently more complex. You need visibility into who has access to your instance in an aggregate view in order to manage your instance’s risks and compliance.

To support customers in this effort, we’ve introduced an MVC for an inventory of PAT and SSH credentials. This view provides important details to administrators, such as the owner, type, and scope of each credential. It will also show when a credential is set to expire and when it was last used.

ConvDev Index is now DevOps Score

ConvDev Index is now DevOps Score

As we invest further in analytics in GitLab, our features should align with commonly used terms. Conversational development is a useful concept, but GitLab is built around the language of DevOps.

Directly referencing this term is especially helpful for organizations looking to track their adoption of DevOps best practices. We plan on iterating on this feature further, but a first important step is a name change to reflect where we’re going.

Preview OpenAPI specifications

Preview OpenAPI specifications

The OpenAPI (previously known as Swagger) Specification is a popular standard for defining RESTful interfaces. However, reading the YAML source can be difficult. In GitLab 12.6, when viewing an openapi.yml file (or another supported filename), a rendered preview of the specification will be shown using the same interface as Swagger.

Thank you Roger Meier and Siemens for your contribution!

More easily navigate between tabs within Merge Requests

More easily navigate between tabs within Merge Requests

Merge Requests are where source code is reviewed, tested, and discussed, but they can become unwieldy. Together, merge request descriptions, pipelines, and security scanning results often push the navigation tabs far down the page making them hard to find and difficult to access.

In GitLab 12.6, the merge request navigation is now above the description, making it fast and easy to jump directly to the changes. Additionally, the description and widgets are now displayed on the Overview tab, providing improved focus and navigation throughout the merge request. Please share your feedback here.

Remove fork relationship when project visibility is restricted

Remove fork relationship when project visibility is restricted

Forking workflows makes it easy to contribute to any project by creating a copy of the upstream project to work on before opening a merge request to merge your changes into the upstream project.

Previously, when the visibility of the root project in a fork network was changed to be restricted, the visibility of all the forks would be restricted. This could result in all forks of a public project suddenly becoming private if the root project was made private.

In GitLab 12.6, instead of changing the visibility of all projects, the root project is simply removed from the fork network leaving all other projects unmodified. This is equivalent to the root project being deleted.

GitLab Runner 12.6

GitLab Runner 12.6

We’re also releasing GitLab Runner 12.6 today! GitLab Runner is the open source project that is used to run your CI/CD jobs and send the results back to GitLab.

Changes include:

• Distribute arm64 binaries
• Expose image to custom executor
• Upgrade to Go 1.13
• Fix regex for finding Virtualbox snapshot names
• Removal of file locking

The list of all changes can be found in GitLab Runner’s CHANGELOG.

CI configuration outside of the repository

CI configuration outside of the repository

We have added the ability to specify the path of the .gitlab-ci.yml to an arbitrary URL, which allows you to store CI configurations in a repository other than the one being built. This can be very helpful for processing many repos the same way by pointing all of them to the same external .gitlab-ci.yml file. Efficiency is gained by having only one CI configuration file to update instead of maintaining individual configurations in each repository. Users that have a service that generates the configuration file dynamically would also benefit.

This also makes it possible to protect configurations from unauthorized changes as the file can be hosted in a project with more fine-grained access control. We have updated our documentation to make it clear how to set this up.

The GitLab NPM registry now supports installing dependencies

The GitLab NPM registry now supports installing dependencies

In GitLab 12.6, we are very excited to announce that the NPM Registry now supports installing package dependencies. Until recently, running npm install would not work if the version was not included in the command. In addition, the command would not support installing the packages’ dependencies. This was due to us not supporting the required NPM metadata, such as dependencies or tags.

Moving forward, users can expect npm install to work as expected. Next we will work on adding dependencies and tags to the Package Registry UI.

Official GitLab container with AWS client installed

Official GitLab container with AWS client installed

Interacting with a major cloud provider such as AWS, Azure, or GCP is a core component of many delivery pipelines. But before you can automate your cloud interactions, you need to have an environment set up with the appropriate tools. Previously this was something you had to manage on our own, but starting in 12.6, GitLab will provide an official AWS Docker image that will allow you to run aws commands from your CI/CD pipelines. You can access a variety of AWS services using a Docker image that is maintained and kept up-to-date by GitLab.

Delivering an official image is also the first step in supporting AWS deploys to EC2. It’s part of our broader plan to include native support for deploying to multiple cloud providers. We hope to see community contributions for additional cloud providers using this model of pre-built images with included scripts hosted in the official GitLab Cloud Deploy container registry.

Warning for skipping Merge Trains

Warning for skipping Merge Trains

When users choose Merge Immediately for their merge request, this delays all the merge requests in the Merge Train. Users were unintentionally doing this, unaware of the negative effect caused to the rest of the merge requests. Although we still allow urgent merge requests to skip the line, we added a warning as another layer of protection by explaining that this action will negatively impact others.

Customize Kubernetes namespace per environment

Customize Kubernetes namespace per environment

When you use GitLab’s Kubernetes integration, it automatically creates a namespace to serve as a deploy target for GitLab CI/CD. This makes it easy to get started with Kubernetes. However, if you already have a cluster with an existing set of namespaces, more than likely you will want to designate one of those existing namespaces as a GitLab deploy target.

Now with GitLab 12.6, you are able to specify a custom namespace for each CI environment in your .gitlab-ci.yml file allowing you to deploy to namespaces that existed before you connected your Kubernetes cluster to GitLab. Initially, this feature is only available for non-managed clusters but does support dynamic environments (e.g. for use in review apps).

Allow clearing of cluster cache to avoid getting out of sync

Allow clearing of cluster cache to avoid getting out of sync

We often need to carry out actions on Kubernetes clusters directly, for example while troubleshooting or fine tuning. Making changes to Kubernetes resources directly in the cluster can put GitLab out of sync with the cluster so it won’t recreate resources because it assumes they already exist.

Starting with GitLab 12.6, the Kubernetes integration will offer the option to clear the local cache of namespace and service accounts, allowing the next CI job to re-create them when necessary.

Install Kubernetes applications using CI template

Install Kubernetes applications using CI template

Installing Kubernetes applications using GitLab CI provides a great way to customize Helm charts prior to installation. In order to make it easier to get started, we have added a CI template with all the currently supported applications. In addition to this template, we have created an example cluster-management project containing all the necessary items required to get started. Simply import and mirror this project to get all the latest supported apps.

Improved integration between Error Tracking and Issue management

Improved integration between Error Tracking and Issue management

Triaging errors can be a manual and tedious process often completed by multiple individuals on your team. One team member may determine the Error is critical and go to create issues to fix the error. Starting in GitLab 12.6, Errors provide a link to open issues directly within the Error detail page, eliminating any confusion about whether an issue needs to be created.

If an issue doesn’t exist, you can now quickly create a GitLab issue from an generated Error when viewing that Error’s detail page.

Add Sentry as a GitLab Managed App

Add Sentry as a GitLab Managed App

If you’re a user of GitLab’s Error Tracking features, you value the ability to integrate with Sentry, the most popular open-source error tracking tool. Starting in GitLab 12.6, if you are unable to utilize a Sentry project on Sentry.io, you can deploy Sentry directly to a Kubernetes Cluster attached to your project or group. This will make it much quicker to get started with integrated error tracking in GitLab.

Access Pod Logs Directly from the Operations Tab

Access Pod Logs Directly from the Operations Tab

Previously, there wasn’t an easy way to navigate directly to your pods’ logs view. In order to get to them you had to navigate to your project’s Environments tab underneath Operations, select the desired environment, and click the relevant pod. Now, with GitLab 12.6, viewing Pod Logs is easier than ever! Simply click on the Pod Logs tab underneath Operations.

Dependency Scanning improvement for Python projects

Dependency Scanning improvement for Python projects

If your Python dependencies are stored in a file other than the regular requirements.txt, with GitLab 12.6, you can now set the requirements file with the PIP_REQUIREMENTS_FILE variable.

SAST Support for React framework (JavaScript)

SAST Support for React framework (JavaScript)

If you have projects written using the React framework for JavaScript, you can now use our SAST scanners to find any security issues.

Dependency scanning for Scala projects using the sbt package manager

Dependency scanning for Scala projects using the sbt package manager

With GitLab 12.6, we have added support for Scala with the sbt package manager in Dependency Scanning. You are now able to scan your Scala projects for potential vulnerabilities.

Group Webhooks are now editable

Group Webhooks are now editable

Group Webhooks are now editable! Previously, it was only possible to create and delete them, so making a change to a webhook required you to delete the webhook and start over. This addition adds the ability to edit these in the UI, saving you time and effort when setting up your webhooks.

Jira issue links are now optional

Jira issue links are now optional

When a user has GitLab integrated with Jira, comments are posted in Jira when activity happens in GitLab. This addition allows a user to disable those comments from the configuration page on a per-integration basis.

This is valuable for many users who don’t want to see the comments, but still want to automatically link their Jira issues to their GitLab projects. Additionally, some users have noted use cases where there are Jira users who should not have visibility of activity on the repository for confidentiality reasons. Having more fine-grained control over what content is posted to these comments is valuable for both of these cases.

Performance improvements

Performance improvements

We continue to improve the performance of GitLab with every release for GitLab instances of every size.

Some of the improvements in GitLab 12.6 are:

• Enable HTTP caching for merge request comments polling
• Reduce SQL queries when loading user avatars
• Improve performance of SQL used in determining which Ci::JobArtifact records to sync to Geo secondary nodes
• Remove an N+1 call rendering projects search results and fix false positive tests
• Improve issues search performance on GraphQL
• Preload group ancestor to avoid N+1
• Improve .groups_user_can_read_epics performance
• Remove stickyMonitor from diff_file_head.vue