Add a new JWT signed field for uploads

See merge request gitlab-org/gitlab-workhorse!490

It contains all the parameters generated by workhorse during a file upload

Refactor internal/artifacts/artifacts_upload_test.go

See merge request gitlab-org/gitlab-workhorse!491

Set default, workflow, and use rules in CI config

See merge request gitlab-org/gitlab-workhorse!489

Signed-off-by: Rémy Coutable <remy@rymai.me>

Sign artifact multipart fields in Workhorse

See merge request gitlab-org/security/gitlab-workhorse!7

This adds the `Gitlab-Workhorse-Multipart-Fields` HTTP header, which
contains a list of signed multipart keys, for the CI artifacts upload
endpoints. This is already done for multipart attachments but was
not done for the the CI artifacts case.

Without this header, Rails can't guarantee that the file attachments
were validated by Workhorse.

This is the Workhorse part of the solution for
https://gitlab.com/gitlab-org/gitlab/-/issues/213139. This needs to be
used by Rails:
https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/403

Add automatic changelog generation

See merge request gitlab-org/gitlab-workhorse!484

Include code-navigation block to CI

See merge request gitlab-org/gitlab-workhorse!482

Release v8.30.0

See merge request gitlab-org/gitlab-workhorse!483

Proxy ActionCable websocket connection

See merge request gitlab-org/gitlab-workhorse!454

Tests a single backend setup and a separate cable backend setup

Add a missing CHANGELOG entry

See merge request gitlab-org/gitlab-workhorse!481

This is to support running the ActionCable server in a separate
process from the web server

Had to use a simple proxy because the other ResponseWriter
wrappers do not support HiJack and we don't need those for
this route anyway

Release Workhorse v8.29.0

See merge request gitlab-org/gitlab-workhorse!480

Bump Labkit version to support profiler sample versioning

See merge request gitlab-org/gitlab-workhorse!479

This version bump refers to fac94cb42 in order to
support Go Continuous Profiling with versioning.

I.e. Workhorse will provide its build version to
the profiler and it'll be presented at the Stackdriver
Profiler UI.

CI: stop trying to rm -rf gitaly hooks in docker container

See merge request gitlab-org/gitlab-workhorse!477

Reject parameters that override upload fields

See merge request gitlab-org/security/gitlab-workhorse!3

When Workhorse intercepts file uploads, we store the files and send the
information about the temporary file in new multipart form values called
`file.path`, `file.size` etc.

Since we're also copying all other multipart form values from the
original client request, it was possible to override the values we
set in Workhorse, causing Rails to e.g. load the uploaded file from
an injected `file.path` parameter.

To avoid this, we check if client parameters have the same name as any
of our own added fields and reject the request.

The `path` and `remote_*` fields are not always set in Workhorse
depending on the storage type, but still picked up in Rails.

To avoid injecting any client params with the same name, we just set
these fields to empty strings.

Resolve "PyPi - Object storage upload route for package files"

See merge request gitlab-org/gitlab-workhorse!474

Release v8.27.0

See merge request gitlab-org/gitlab-workhorse!476

Remove Set-Cookie header from archive and raw blob responses

See merge request gitlab-org/gitlab-workhorse!475

CDNs don't cache responses with Set-Cookie header as they assume they
contain some sort of state or user-specific data, which is not the case for
raw blobs and repository archives.

This change allows GitLab installations that sit behind a CDN to benefit from its
caching feature seamlessly.

Related to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829
and https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/4