From 8aa06491c740b560a24e5033d9eaf0b309daa8ba Mon Sep 17 00:00:00 2001
From: gdk <gdk@example.com>
Date: Thu, 17 Jul 2025 23:34:12 +0000
Subject: [PATCH] Finalize BBM EncryptMissedCiRunnerTokens

This migration was finished at `2025-07-10 07:07:02 UTC`, you can confirm
the status using our
[batched background migration chatops commands](https://docs.gitlab.com/ee/development/database/batched_background_migrations.html#monitor-the-progress-and-status-of-a-batched-background-migration).
  To confirm it is finished you can run:

```
/chatops run batched_background_migrations status 2000443 --database ci
```

The last time this background migration was triggered was in
[db/post_migrate/20250630163722_queue_encrypt_missed_ci_runner_tokens.rb](https://gitlab.com/gitlab-org/gitlab/-/blob/master/db/post_migrate/20250630163722_queue_encrypt_missed_ci_runner_tokens.rb)

You can read more about the process for finalizing batched background migrations in
https://docs.gitlab.com/ee/development/database/batched_background_migrations.html .

As part of our process we want to ensure all batched background migrations
have had at least one
[required stop](https://docs.gitlab.com/ee/development/database/required_stops.html)
to process the migration. Therefore we can finalize any batched background migration that was added before the
last required stop.

This change was generated by
[gitlab-housekeeper](https://gitlab.com/gitlab-org/gitlab/-/tree/master/gems/gitlab-housekeeper)
in [CI](https://ops.gitlab.net/gitlab-com/database-team/gitlab-com-database-testing/-/jobs/19363183) using the `Keeps::OverdueFinalizeBackgroundMigration` keep.

To provide feedback on your experience with `gitlab-housekeeper` please create an issue with the
label ~"GitLab Housekeeper" and consider pinging the author of this keep.

Changelog: other
---
 .../encrypt_missed_ci_runner_tokens.yml       | 13 +++++++-----
 ...lize_hk_encrypt_missed_ci_runner_tokens.rb | 21 +++++++++++++++++++
 db/schema_migrations/20250717233346           |  1 +
 3 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb
 create mode 100644 db/schema_migrations/20250717233346

diff --git a/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml b/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
index 60fe79f09a4895..670f7088a9a280 100644
--- a/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
+++ b/db/docs/batched_background_migrations/encrypt_missed_ci_runner_tokens.yml
@@ -1,11 +1,14 @@
 ---
 migration_job_name: EncryptMissedCiRunnerTokens
-description: >
-  We've encrypted plain tokens and migrated to token_encrypted (in milestone 11.6), so we need to remove the runner token column
-  and make encryption required (currently optional). However, plain tokens remain unencrypted in gitlab_com and likely in self-managed instances.
-  We must encrypt these remaining tokens and nullify them before removing the column completely.
+description: 'We''ve encrypted plain tokens and migrated to token_encrypted (in milestone
+  11.6), so we need to remove the runner token column and make encryption required
+  (currently optional). However, plain tokens remain unencrypted in gitlab_com and
+  likely in self-managed instances. We must encrypt these remaining tokens and nullify
+  them before removing the column completely.
+
+  '
 feature_category: fleet_visibility
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196265
 milestone: '18.2'
 queued_migration_version: 20250630163722
-finalized_by: # to be updated
+finalized_by: '20250717233346'
diff --git a/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb b/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb
new file mode 100644
index 00000000000000..18c80b595def13
--- /dev/null
+++ b/db/post_migrate/20250717233346_finalize_hk_encrypt_missed_ci_runner_tokens.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeHkEncryptMissedCiRunnerTokens < Gitlab::Database::Migration[2.3]
+  milestone '18.3'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_ci
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'EncryptMissedCiRunnerTokens',
+      table_name: :ci_runners,
+      column_name: :id,
+      job_arguments: [],
+      finalize: true
+    )
+  end
+
+  def down; end
+end
diff --git a/db/schema_migrations/20250717233346 b/db/schema_migrations/20250717233346
new file mode 100644
index 00000000000000..1bc603fd12c307
--- /dev/null
+++ b/db/schema_migrations/20250717233346
@@ -0,0 +1 @@
+fde3ea0eee6af69f6c2738a6a92e806d65cb7ae733e18ce23cab219298b518ee
\ No newline at end of file
-- 
GitLab