Update重要：GitLab 17.0 影響度「高」変更情報（SaaS環境は順次適用開始）

4月から前倒しで適用されるアップデート・削除について

2024年5月16日(米国時間）リリースされる GitLab 17.0がリリースされますが、それに伴い多くのアップデート・非推奨・削除などの変更もあります。
今回は、5月16日を待たずに、GitLab.com(SaaS版)にはすでに順次適用が開始されているため、ご利用中機能やワークフローに影響がないかを確認いただくことをお勧めします。

前倒しスケジュール：以下3つの期間が想定されています

2024-04-22 09:00 UTC to 2024-04-24 22:00 UTC
2024-04-29 09:00 UTC to 2024-05-01 22:00 UTC
2024-05-06 09:00 UTC to 2024-05-08 22:00 UTC

適用されるアップデート・削除など対象機能一覧および適用スケジュール

以下サイトにて、下段に抜粋されていないアップデートなども含めた情報が掲載されています。
こちらにて、貴社内への影響度をご確認いただくことをお勧めいたします。

17.0 Breaking Changes – Request for additional information
https://gitlab.com/gitlab-com/Product/-/issues/13310

※GitLab社にて影響が大きいと思われる機能は以下に抜粋されています。

GitLab 17.0 影響の大きい重大な変更点

2024年5月16日(米国時間）リリースされる GitLab 17.0において以下のような影響の大きい変更を確認しました。
継続的インテグレーション（CI）、継続的デプロイ（CD）、コンプライアンス、インスタンスの可用性など、重要なワークフローを中断する可能性があるものを「影響が大きい」と定義しています。
そのため、メジャーリリースの準備の際には、まずこれらの変更を優先することをお勧めします。リンク先のドキュメントでそれぞれの変更に関する詳細な情報を見つけることができますが、この概要では影響を受ける機能と潜在的な影響に関する注意事項をいくつか紹介します。（以下は抜粋であり、変更点のすべてではありませんのでご注意ください）

カテゴリ
1. Self-managed deployment
2. CI（継続的インテグレーション）
3. CD（継続的デプロイ）
4. Package
5. GitLab.com
6. Ultimate Only
* GitLab Japan によるドキュメント（Partner Only）

1. Self-managed deployment

Postgres 13 deprecated

Impacts all self-managed customers. Failing to upgrade to Postgres 14 will break the deployment.
Postgres 14 is already supported starting from GitLab 16.2.0.

omniauth-azure-oauth2 gem is deprecated

Impacts self-managed customers who use the omniauth-azure-oauth2 provider for authentication.
Without migration to omniauth_openid_connect, users will no longer be able to sign in using the Azure login button.

Min concurrency ＆ max concurrency in Sidekiq options

Impacts GitLab deployments that have sidekiq[‘min_concurrency’] ＆ sidekiq[‘max_concurrency’] configured in their gitlab.rb.
Failure to migrate will break the deployment.

2. CI（継続的インテグレーション）

Registration tokens ＆ server-side runner arguments in POST /api/v4/runners endpoint

Impacts custom automations that provision runners.
Potentially breaks CI pipelines by disabling runner provisioning.

File type variable expansion fixed in downstream pipelines

Impacts pipelines using downstream pipelines passing File-type variables to the downstream pipeline.
Changed behavior may break the downstream pipeline due to a change in variable content.

after_script keyword will run for canceled jobs

Impacts pipelines using the after_script keyword.
Changed behavior may break pipelines ｏｒ cause unexpected pipeline results.

Old versions of JSON web tokens are deprecated, HashiCorp Vault integration will no longer use CI_JOB_JWT by default, ＆ JWT /-/jwks instance endpoint is deprecated

Impacts pipelines relying on the CI_JOB_JWT ｏｒ CI_JOB_JWT_V2 CI variables.
The removal of the variable may break Vault integrations ｏｒ otherwise cause pipelines to fail.

3. CD（継続的デプロイ）

The pull-based deployment features of the GitLab agent for Kubernetes is deprecated

Impacts projects using the GitLab agent for Kubernetes for deployments.
The change may break CD workflows relying on the GitLab agent for Kubernetes.
The agent itself is not deprecated ＆ still used for a number of features, like communicating with the cluster, its API endpoints ＆ pushing information about events in the cluster to GitLab.

Agent for Kubernetes option ca-cert-file renamed

Impacts customers installing Kubernetes agents behind a self-signed certificate.
The change may impact CD workflows relying on connecting Kubernetes clusters to GitLab via the agent.

4. Package

npm package uploads now occur asynchronously

Impacts projects publishing npm ｏｒ Yarn packages to the GitLab registry.
Due to the asynchronous upload, pipelines may break that expect packages to be available as soon as they are published.

Dependency Proxy: Access tokens to have additional scope checks

Impacts projects using the Dependency Proxy with a group access token ｏｒ personal access token that have insufficient scopes.
Because tokens without the required scopes will fail, this may break pipelines by rejecting docker login ＆ docker pull requests.

Maven repository group permissions

Impacts projects using the Maven repository at the group level where user permissions are not set up correctly.
Because users without correct permissions will fail to access the requested packages, this change may break pipelines for those users.

5. GitLab.com

Upgrading the operating system version of GitLab SaaS runners on Linux

Impacts pipelines using saas-linux-*-amd64 tagged shared runners on GitLab.com that use outdated Docker-in-Docker ｏｒ Kaniko versions.
The outdated versions will be unable to detect the container runtime ＆ fail, breaking the pipeline.

Deprecating Windows Server 2019 in favor of 2022

Impacts pipelines using shared-windows ＆ windows-1809 tagged shared runners on GitLab.com.
Affected jobs will not be picked up by runners, thus blocking the pipeline.
You can identify affected jobs by searching for the deprecated tags in your .yml files.

Removal of tags from small SaaS runners on Linux

Impacts pipelines using shared runners tagged docker, east-c, gce, git-annex, linux, mongo, mysql, ruby, ｏｒ shared on GitLab.com.
Affected jobs will not be picked up by runners, thus blocking the pipeline.
You can identify affected jobs by searching for the deprecated tags in your .yml files.

6. Ultimate Only

Security policy fields newly_detected ＆ match_on_inclusion are deprecated

Impacts groups ＆ projects that have merge request approval policies (previously: scan result policies) enabled ＆ use the deprecated keywords.
Without migration, the rules enforced by the policies will stop working, causing potential compliance violations.

Required Pipeline Configuration is deprecated

Impacts Ultimate self-managed customers using required pipeline configuration.
Without migration, the required configuration will no longer be used by projects, impacting all pipelines that are run on the instance.