batches: add SSBC support for organisations (#42131)

Co-authored-by: Bolaji Olajide

Created at 11 hours ago
SSBC in orgs

Make sure everything works on an org-level as well. Currently, I think the permissions checks don't do the org part. It's possible one can't spawn an execution in an org namespace.

Created at 11 hours ago
delete branch
LawnGnome delete branch aharvey/ssbc-orgs
Created at 11 hours ago
pull request closed
batches: add SSBC support for organisations

This PR adds full support for creating and applying batch changes within organisations from SSBC. The vast majority of the work here was around our permission handling, rather than anything to do with SSBC or the UI specifically.

Fixes #36536.


As a refresher (because I certainly needed one), this is how permissions are documented to work in Batch Changes.

I discovered that our organisation handling was basically broken when querying batch changes that the user has admin rights to — batch changes owned by organisations that the user belongs to would never be returned. This affected both client and server side batch change functionality, and has been fixed.

Fixing this broke a number of tests that didn't set up full user, organisation, and user/org membership fixtures. These tests have been updated to set up more realistic environments.

Fixing that made me realise how hard some of the batch change store tests were to update, since their state was essentially linked to specific cs indices doing magic things upon creation. I made that creation explicit, rather than implicit, and updated tests that needed updating from there. (I chose not to do a full conversion of those tests to use assert and require, but did make spot updates as I rewrote specific subtests.)

One remaining issue here is that (non-admin) users belonging to an organisation may not be able to see all executions of a batch change in that organisation — right now, they only have access to their own executions. On balance, this might be the right thing to do, but input welcome there.

UI changes

This PR reverted #37187 to reinstate a usable namespace selector when creating a batch change from the UI. I took the opportunity to simplify the NamespaceSelector prop types along the way, since our cases are now somewhat simpler.

While testing this work, I also realised that there were a few potential banners on the batch change details page that are unactionable if the user doesn't have admin access to that batch change, so I've removed those in that case.

One final change that I would like feedback on is that users who cannot administer a batch change will now not see the Edit and Close buttons on the batch change. The alternative here would be to disable them with tooltips, but showing them at all feels a bit wrong to me. Thoughts?

Test plan

I believe I've tested all the possible combinations here (site admin in an org, site admin not in an org but using their site admin powers (maybe) responsibly, user in an org, user not in an org), and have added what I think are reasonable unit tests covering this at the resolver and store levels.

Created at 11 hours ago
issue comment
batches: add SSBC support for organisations

Do you mind adding the comment summary descriptor for CanAdministerInNamespace?

Sure thing! Added.

Created at 11 hours ago

dev/release: remove mi upgrade tracking issue (#42202)

update with pricing page (#42206)

Fix search context menu labels copy (#42168)

  • Fix search context menu labels copy

  • Fix code monitoring label

Make fuzzy finder modal wide again (#41736)

  • Make fuzzy finder modal wide again

The width of the fuzzy finder modal recently became very narrow. I wasn't able to track down the exact PR that impacted the width, but at some point the priority of the Wildcard Modal component overwrote the custom width: 80vw style we defined specifically for the fuzzy finder. This commit fixes the priority by use an id attribute instead of class.

  • web: make fuzzy finder modal wide again

Co-authored-by: Valery Bugakov

insights: reduce historical backfill queueing delay to 30s (#42166)

codeintel: reduce search based definition query count to 50 (#42224)

When we disabled legacy extensions on (around 13:40 20th Sep UTC), Zoekt's CPU usage and contention went up significantly. In code-intel-extensions repository, the definition query uses count:50. However, in the Sourcegraph repo we use count:500. We believe this is the root cause for the regression.

Using the bubble up feature on honeycomb, it shows that the difference between our bad queries and good is a max shard match count of 500.

Test Plan: CI and then monitoring CPU usage in production.

Co-authored-by: Stefan Hengl

database: Don't allow empty code host config (#41985)

We already have a db constraint to stop this in most cases, but when we have encryption enabled then even an empty config is converted into an encrypted value so we need to do the check in our application layer too.

While investigating this we already had code to validate our config but it had not been included in the Upsert path. That is now fixed and tests were updated where necessary.

CodeMirror Blob: Improve search input styles (#42014)

This commit replaces the default search panel with a custom implementation that uses Wildcard styles. Because I wanted to avoid interfacing with React as much as possible I used plain DOM.

Insights/integration-test-populated-dashboard (#41962)

  • stub render test

  • populated dashboard rendering correctly

  • fix fixture types


  • assert each type of insightt renders

  • add compute insight to assertions

  • add jsdoc for getLinks helper

  • fix GetInsightView to return by id

  • Update create/update dashboard integration tests

  • Fix add and delete dashboard integration test after merge commit

  • Fix render populated dashboard test

Co-authored-by: vovakulikov

Format main (#42227)

ci: go generate ./enterprise/dev/ci/... (#42233)

The steps recently changed, so we need to regenerate the docs. Currently CI is broken due to this.

Test Plan: CI

docker-images: update alpine image's bind-tools for many CVEs (#42232)

There is a whole slew of CVEs currently which is affecting all our images:

  • CVE-2022-2795
  • CVE-2022-2881
  • CVE-2022-2906
  • CVE-2022-3080
  • CVE-2022-38177
  • CVE-2022-38178

Note: This only updates the base image, another commit will need to update all images to use this.

Test Plan: docker build docker-images/alpine-3.14 and output indicates a version greater than or equal to 9.16.33-r0

gitoltite: Check for header before executing gitolite list (#42226)

This ensures that the request came from use and we can assume some level of scrutiny was given to the parameters being passed.

gomod: update for CVE-2022-27664 (#42230)

Test Plan: CI

Release: update release config for 4.1.0 (#42237)

update release config for 4.1.0

insights: docs: update broken link to oob migration (#42223)

Code insights: Add dashboard cards integration test (#42254)

  • Add dashboard cards integration test

RFC 619: Inline httpapi package into uploads service (#42197)

[code-nav]: Moving graphql transport layer to individual service layers (#41596)

all: update Dockerfile to use latest alpine-3.14 (#42259)

We updated sourcegraph/alpine-3.14 today in 3b3879b9 to remove a bunch of CVEs in bind-tools. This commit makes it so we use the new image.

Test Plan: CI works and has far less security reports.

Created at 11 hours ago

Update client/web/src/enterprise/batches/detail/BatchChangeDetailsPage.tsx

Co-authored-by: Bolaji Olajide

Created at 1 day ago
issue comment
batches: Normalize changeset_specs.published null values

@Piszmog Thanks for trying that. Sorry about the breakage.

I think the check constraint idea is a reasonable one, but I'm also OK merging this as-is given we've made an honest effort to improve things. 😄

Created at 1 day ago


Created at 2 days ago

web: format stream.ts (#42127)

docs/update add AWS AMI instances guide (#41889)

  • Move AWS manual deploy docs to One-click

  • Update deployment logs and adjust theme

  • Update logs with gcp bucket links

  • Add AWS AMI deployment docs

  • Add aws ami backup section

  • Add notes about cloning from private repo

  • Add notes about using scripts with private repos

  • Update resource estimator info

  • Remove public IP info

  • Update estimator build version

  • Add instruction on choosing instance size

  • Add steps to search for AMIs

  • Update network configuration dashboards url

  • Remove Size S and M

  • Update instance types

  • update button layout

  • various improvements

Signed-off-by: Stephen Gutekanst

Signed-off-by: Stephen Gutekanst Co-authored-by: Beyang Liu Co-authored-by: Stephen Gutekanst

release: sourcegraph@4.0.1 (#42130)

update aws ami docs (#42133)

Co-authored-by: Beatrix

Remove experimental analytics docs badge (#42135)

remove experimental badge

docs/update Add region to AMI links (#42137)

  • Add region to AMI links

  • Remove space from DigitalOcean

doc: aws ami: use text from AWS UI checkboxes (#42138)

doc: aws ami: use text from AWS UI checkboxes and set auto-assign IP to "enable"

Remove core workflow improvements flag (#41986)

vsce: patch release v2.2.10 (#42079)

web: collapse navbar on smaller screens than before (#42057)

Revert "Don't announce 4.0.0 release in update check yet (#41976)" (#41977)

This reverts commit 30811fe1fc80631973fd433042be75bb28c69752.

docs: fix exhaustive search page (#42146)

upgrade: Update docker-compose instructions (#42052)

Allow to cancel running external service sync jobs (#41518)

This PR makes use of dbworker cancellation which we recently added as a feature to allow to cancel a running external service sync, so customers don't need to shoot down their instance in case of misconfiguration (eg when syncing the entirety of

It also contains a couple of tweaks to honor context cancellation better in the sync jobs, so that we bail out early. Worker cancellation is async, and the UI handles that with a canceling state.

docs: fix typo (#42139)

Bundle legacy code intel extension for native integrations (#42106)

Part of #41921

We have a deployment method of the browser extensions that we call "native integrations". The idea here is that we inject the browser extension code directly from the code host so that users do not need to install an extension. Most prominently, this is used by GitLab who currently bundles a version of the native integrations package with their on-premise builds so instance admins can enable this for users.

The issue with this deployment model is that we have no impact on when these clients are updated. We rely on GitLabs rollout and update policies so these cycles are super slow. For the upcoming release, we had to cut a corner for this and made the extensions GraphQL endpoints handle eventual native integration requests with special care to not break them.

Since we eventually want to remove these APIs, we want to move fast here and provide a new native integration build that does not use these APIs anymore. Before we can update the bundled version on the GitLab end, we need to make sure that the package contains a bundled version of the code intel APIs (similar to our browser extensions right now). This is what's happening here:

  • This PR adds bundles the legacy code intel APIs to the @sourcegraph/code-host-integration package.
  • It also changes the gating of the inlined extensions so that they are loaded on GitLab.

Co-authored-by: Taras Yemets

Create Cloud Instance onboarding doc (#41993)

  • Create Cloud Instance onboarding doc

As part of the growth initiative we need to offer proper guidance for new cloud users. Due to lack of a better onboarding experience right now we are relliyng on this document to offer some guidance.

This will be shared on the welcome email, and there is not need to be linked from anywhere else in the Docs,

  • Update doc/getting-started/

Co-authored-by: David Veszelovszki

  • Changes discord link to a short url

  • Includes Malo's feedback

  • small markdown tweaks

  • Fixes spacings between headings

  • Adds link from Cloud page

  • Delete

  • Adds link to onboarding

  • Update

  • Fixes the link

  • Wording changes

Co-authored-by: David Veszelovszki Co-authored-by: Malo Marrec Co-authored-by: Erik Seliger

Remove Ben from search-product label notify (#42160)

dev/sg: create .bin if it does not exist (#42162)

Formatting fixes (#42158)

Created at 2 days ago

Finish conversion to OnlyAdministeredByUserID.

Improve org handling in tests.

Created at 2 days ago
pull request closed

This PR adds the top ten (or up to ten) contributors to this repository to a CODEOWNERS file.

Created by Sourcegraph batch change aharvey/add-codeowners.

Created at 2 days ago
pull request opened

This PR adds the top ten (or up to ten) contributors to this repository to a CODEOWNERS file.

Created by Sourcegraph batch change aharvey/add-codeowners.

Created at 2 days ago
create branch
LawnGnome create branch add-codeowners
Created at 2 days ago
pull request opened
batches: add SSBC support for organisations

This will fix #36536 when complete.

The major issue here is permissions. I'm not totally sure I've got them right at present. There are also some lingering issues elsewhere in our codebase that probably caused bugs for original flavour Batch Changes users as well, such as batch change counts filtered by viewerCanAdminister not including batch changes owned by organisations.

I've also smoothed out some rough edges in our UI when a user is viewing a batch change they don't have admin rights on: there are boxes and buttons that don't make sense to display in that case, since they're not actionable.

Open questions

  • Should regular users be able to see all executions on batch changes they otherwise have admin access to (through belonging to an organisation, or because it's in their user namespace)?
  • Should user B be able to apply a batch spec created by user A if the batch spec/change belong to an organisation they are both members of?


  • [ ] Make batch spec/change resolvers handle viewerCanAdminister more consistently: right now, these degrade into CreatorID checks, which don't account for organisation membership.
  • [ ] Figure out what's up the mutation resolver test breakage.
  • [ ] Get a design sanity check on whether hiding Edit/Close on the batch change details page is sensible when the user can't administer the batch change.

Test plan

Created at 3 days ago
create branch
LawnGnome create branch aharvey/ssbc-orgs
Created at 3 days ago