Merge branch 'jfarmiloe-deploy-keys' into 'master'

Add script to identify problematic deploy keys

See merge request gitlab-org/gitlab!60977

doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md

@@ -305,6 +305,42 @@ p.statistics.refresh!
 pp p.statistics  # compare with earlier values
 ```
 
+### Identify deploy keys associated with blocked and non-member users 
+
+When the user who created a deploy key is blocked or removed from the project, the key 
+can no longer be used to push to protected branches in a private project (see [issue #329742](https://gitlab.com/gitlab-org/gitlab/-/issues/329742)). 
+The following script identifies unusable deploy keys:
+
+```ruby
+ghost_user_id = User.ghost.id
+
+DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
+  project = deploy_key_mapping.project
+  deploy_key = deploy_key_mapping.deploy_key
+  user = deploy_key.user
+
+  access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)
+
+  # can_push_for_ref? tests if deploy_key can push to default branch, which is likely to be protected
+  can_push = access_checker.can_do_action?(:push_code)
+  can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)
+  
+  next if access_checker.allowed? && can_push && can_push_to_default
+
+  if user.nil? || user.id == ghost_user_id
+    username = 'none'
+    state = '-'
+  else
+    username = user.username
+    user_state = user.state
+  end
+
+  puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
+       ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
+       ", User: #{username}, User state: #{user_state}"
+end
+```
+
 ## Wikis
 
 ### Recreate