Add latest changes from gitlab-org/gitlab@master

.gitlab/CODEOWNERS

@@ -6,8 +6,8 @@
 /doc/ @axil @marcia @eread @mikelewis
 
 # Frontend maintainers should see everything in `app/assets/`
-app/assets/ @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina
-*.scss @annabeldunstone @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina
+app/assets/ @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina @iamphill
+*.scss @annabeldunstone @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina @iamphill
 
 # Database maintainers should review changes in `db/`
 db/ @gitlab-org/maintainers/database

.gitlab/ci/review.gitlab-ci.yml

@@ -122,6 +122,7 @@ schedule:review-build-cng:
     - source scripts/utils.sh
     - install_api_client_dependencies_with_apk
     - source scripts/review_apps/review-apps.sh
+    - export REVIEW_APP_CONFIG_CHANGED=$(base_config_changed)
   script:
     - date
     - check_kube_domain

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 12.4.1
+
+### Security (6 changes)
+
+- Do not display project labels that are not visible for user accessing group labels.
+- Do not index system notes for issue update.
+- Redact search results based on Ability.allowed?.
+- Do not show private cross references in epic notes.
+- Filter out packages the user does'nt have permission to see at group level.
+- Fixes a Open Redirect issue in `InternalRedirect`.
+
+
 ## 12.4.0
 
 ### Security (2 changes)

CHANGELOG.md

@@ -4,11 +4,12 @@ entry.
 
 ## 12.4.1
 
-### Security (12 changes)
+### Security (14 changes)
 
 - Standardize error response when route is missing.
 - Do not display project labels that are not visible for user accessing group labels.
 - Show cross-referenced label and milestones in issues' activities only to authorized users.
+- Show cross-referenced label and milestones in issues' activities only to authorized users.
 - Analyze incoming GraphQL queries and check for recursion.
 - Disallow unprivileged users from commenting on private repository commits.
 - Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
@@ -17,6 +18,7 @@ entry.
 - Return 404 on LFS request if project doesn't exist.
 - Mask sentry auth token in Error Tracking dashboard.
 - Fixes a Open Redirect issue in `InternalRedirect`.
+- Remove deploy access level when project/group link is deleted.
 - Sanitize all wiki markup formats with GitLab sanitization pipelines.
 
 

app/assets/javascripts/monitoring/components/charts/anomaly.vue

+<script>
+import { flatten, isNumber } from 'underscore';
+import { GlLineChart, GlChartSeriesLabel } from '@gitlab/ui/dist/charts';
+import { roundOffFloat } from '~/lib/utils/common_utils';
+import { hexToRgb } from '~/lib/utils/color_utils';
+import { areaOpacityValues, symbolSizes, colorValues } from '../../constants';
+import { graphDataValidatorForAnomalyValues } from '../../utils';
+import MonitorTimeSeriesChart from './time_series.vue';
+
+/**
+ * Series indexes
+ */
+const METRIC = 0;
+const UPPER = 1;
+const LOWER = 2;
+
+/**
+ * Boundary area appearance
+ */
+const AREA_COLOR = colorValues.anomalyAreaColor;
+const AREA_OPACITY = areaOpacityValues.default;
+const AREA_COLOR_RGBA = `rgba(${hexToRgb(AREA_COLOR).join(',')},${AREA_OPACITY})`;
+
+/**
+ * The anomaly component highlights when a metric shows
+ * some anomalous behavior.
+ *
+ * It shows both a metric line and a boundary band in a
+ * time series chart, the boundary band shows the normal
+ * range of values the metric should take.
+ *
+ * This component accepts 3 queries, which contain the
+ * "metric", "upper" limit and "lower" limit.
+ *
+ * The upper and lower series are "stacked areas" visually
+ * to create the boundary band, and if any "metric" value
+ * is outside this band, it is highlighted to warn users.
+ *
+ * The boundary band stack must be painted above the 0 line
+ * so the area is shown correctly. If any of the values of
+ * the data are negative, the chart data is shifted to be
+ * above 0 line.
+ *
+ * The data passed to the time series is will always be
+ * positive, but reformatted to show the original values of
+ * data.
+ *
+ */
+export default {
+  components: {
+    GlLineChart,
+    GlChartSeriesLabel,
+    MonitorTimeSeriesChart,
+  },
+  inheritAttrs: false,
+  props: {
+    graphData: {
+      type: Object,
+      required: true,
+      validator: graphDataValidatorForAnomalyValues,
+    },
+  },
+  computed: {
+    series() {
+      return this.graphData.queries.map(query => {
+        const values = query.result[0] ? query.result[0].values : [];
+        return {
+          label: query.label,
+          data: values.filter(([, value]) => !Number.isNaN(value)),
+        };
+      });
+    },
+    /**
+     * If any of the values of the data is negative, the
+     * chart data is shifted to the lowest value
+     *
+     * This offset is the lowest value.
+     */
+    yOffset() {
+      const values = flatten(this.series.map(ser => ser.data.map(([, y]) => y)));
+      const min = values.length ? Math.floor(Math.min(...values)) : 0;
+      return min < 0 ? -min : 0;
+    },
+    metricData() {
+      const originalMetricQuery = this.graphData.queries[0];
+
+      const metricQuery = { ...originalMetricQuery };
+      metricQuery.result[0].values = metricQuery.result[0].values.map(([x, y]) => [
+        x,
+        y + this.yOffset,
+      ]);
+      return {
+        ...this.graphData,
+        type: 'line-chart',
+        queries: [metricQuery],
+      };
+    },
+    metricSeriesConfig() {
+      return {
+        type: 'line',
+        symbol: 'circle',
+        symbolSize: (val, params) => {
+          if (this.isDatapointAnomaly(params.dataIndex)) {
+            return symbolSizes.anomaly;
+          }
+          // 0 causes echarts to throw an error, use small number instead
+          // see https://gitlab.com/gitlab-org/gitlab-ui/issues/423
+          return 0.001;
+        },
+        showSymbol: true,
+        itemStyle: {
+          color: params => {
+            if (this.isDatapointAnomaly(params.dataIndex)) {
+              return colorValues.anomalySymbol;
+            }
+            return colorValues.primaryColor;
+          },
+        },
+      };
+    },
+    chartOptions() {
+      const [, upperSeries, lowerSeries] = this.series;
+      const calcOffsetY = (data, offsetCallback) =>
+        data.map((value, dataIndex) => {
+          const [x, y] = value;
+          return [x, y + offsetCallback(dataIndex)];
+        });
+
+      const yAxisWithOffset = {
+        name: this.yAxisLabel,
+        axisLabel: {
+          formatter: num => roundOffFloat(num - this.yOffset, 3).toString(),
+        },
+      };
+
+      /**
+       * Boundary is rendered by 2 series: An invisible
+       * series (opacity: 0) stacked on a visible one.
+       *
+       * Order is important, lower boundary is stacked
+       * *below* the upper boundary.
+       */
+      const boundarySeries = [];
+
+      if (upperSeries.data.length && lowerSeries.data.length) {
+        // Lower boundary, plus the offset if negative values
+        boundarySeries.push(
+          this.makeBoundarySeries({
+            name: this.formatLegendLabel(lowerSeries),
+            data: calcOffsetY(lowerSeries.data, () => this.yOffset),
+          }),
+        );
+        // Upper boundary, minus the lower boundary
+        boundarySeries.push(
+          this.makeBoundarySeries({
+            name: this.formatLegendLabel(upperSeries),
+            data: calcOffsetY(upperSeries.data, i => -this.yValue(LOWER, i)),
+            areaStyle: {
+              color: AREA_COLOR,
+              opacity: AREA_OPACITY,
+            },
+          }),
+        );
+      }
+      return { yAxis: yAxisWithOffset, series: boundarySeries };
+    },
+  },
+  methods: {
+    formatLegendLabel(query) {
+      return query.label;
+    },
+    yValue(seriesIndex, dataIndex) {
+      const d = this.series[seriesIndex].data[dataIndex];
+      return d && d[1];
+    },
+    yValueFormatted(seriesIndex, dataIndex) {
+      const y = this.yValue(seriesIndex, dataIndex);
+      return isNumber(y) ? y.toFixed(3) : '';
+    },
+    isDatapointAnomaly(dataIndex) {
+      const yVal = this.yValue(METRIC, dataIndex);
+      const yUpper = this.yValue(UPPER, dataIndex);
+      const yLower = this.yValue(LOWER, dataIndex);
+      return (isNumber(yUpper) && yVal > yUpper) || (isNumber(yLower) && yVal < yLower);
+    },
+    makeBoundarySeries(series) {
+      const stackKey = 'anomaly-boundary-series-stack';
+      return {
+        type: 'line',
+        stack: stackKey,
+        lineStyle: {
+          width: 0,
+          color: AREA_COLOR_RGBA, // legend color
+        },
+        color: AREA_COLOR_RGBA, // tooltip color
+        symbol: 'none',
+        ...series,
+      };
+    },
+  },
+};
+</script>
+
+<template>
+  <monitor-time-series-chart
+    v-bind="$attrs"
+    :graph-data="metricData"
+    :option="chartOptions"
+    :series-config="metricSeriesConfig"
+  >
+    <slot></slot>
+    <template v-slot:tooltipContent="slotProps">
+      <div
+        v-for="(content, seriesIndex) in slotProps.tooltip.content"
+        :key="seriesIndex"
+        class="d-flex justify-content-between"
+      >
+        <gl-chart-series-label :color="content.color">
+          {{ content.name }}
+        </gl-chart-series-label>
+        <div class="prepend-left-32">
+          {{ yValueFormatted(seriesIndex, content.dataIndex) }}
+        </div>
+      </div>
+    </template>
+  </monitor-time-series-chart>
+</template>

app/assets/javascripts/monitoring/components/charts/time_series.vue

 <script>
 import { s__, __ } from '~/locale';
+import _ from 'underscore';
 import { GlLink, GlButton, GlTooltip, GlResizeObserverDirective } from '@gitlab/ui';
 import { GlAreaChart, GlLineChart, GlChartSeriesLabel } from '@gitlab/ui/dist/charts';
 import dateFormat from 'dateformat';
 import { roundOffFloat } from '~/lib/utils/common_utils';
 import { getSvgIconPathContent } from '~/lib/utils/icon_utils';
 import Icon from '~/vue_shared/components/icon.vue';
-import { chartHeight, graphTypes, lineTypes, symbolSizes, dateFormats } from '../../constants';
+import {
+  chartHeight,
+  graphTypes,
+  lineTypes,
+  lineWidths,
+  symbolSizes,
+  dateFormats,
+} from '../../constants';
 import { makeDataSeries } from '~/helpers/monitor_helper';
 import { graphDataValidatorForValues } from '../../utils';
 
@@ -30,6 +38,16 @@ export default {
       required: true,
       validator: graphDataValidatorForValues.bind(null, false),
     },
+    option: {
+      type: Object,
+      required: false,
+      default: () => ({}),
+    },
+    seriesConfig: {
+      type: Object,
+      required: false,
+      default: () => ({}),
+    },
     deploymentData: {
       type: Array,
       required: false,
@@ -96,29 +114,35 @@ export default {
         const lineWidth =
           appearance && appearance.line && appearance.line.width
             ? appearance.line.width
-            : undefined;
+            : lineWidths.default;
         const areaStyle = {
           opacity:
             appearance && appearance.area && typeof appearance.area.opacity === 'number'
               ? appearance.area.opacity
               : undefined,
         };
-
         const series = makeDataSeries(query.result, {
           name: this.formatLegendLabel(query),
           lineStyle: {
             type: lineType,
             width: lineWidth,
+            color: this.primaryColor,
           },
           showSymbol: false,
           areaStyle: this.graphData.type === 'area-chart' ? areaStyle : undefined,
+          ...this.seriesConfig,
         });
 
         return acc.concat(series);
       }, []);
     },
+    chartOptionSeries() {
+      return (this.option.series || []).concat(this.scatterSeries ? [this.scatterSeries] : []);
+    },
     chartOptions() {
+      const option = _.omit(this.option, 'series');
       return {
+        series: this.chartOptionSeries,
         xAxis: {
           name: __('Time'),
           type: 'time',
@@ -135,8 +159,8 @@ export default {
             formatter: num => roundOffFloat(num, 3).toString(),
           },
         },
-        series: this.scatterSeries,
         dataZoom: [this.dataZoomConfig],
+        ...option,
       };
     },
     dataZoomConfig() {
@@ -144,6 +168,14 @@ export default {
 
       return handleIcon ? { handleIcon } : {};
     },
+    /**
+     * This method returns the earliest time value in all series of a chart.
+     * Takes a chart data with data to populate a timeseries.
+     * data should be an array of data points [t, y] where t is a ISO formatted date,
+     * and is sorted by t (time).
+     * @returns {(String|null)} earliest x value from all series, or null when the
+     * chart series data is empty.
+     */
     earliestDatapoint() {
       return this.chartData.reduce((acc, series) => {
         const { data } = series;
@@ -230,10 +262,11 @@ export default {
           this.tooltip.sha = deploy.sha.substring(0, 8);
           this.tooltip.commitUrl = deploy.commitUrl;
         } else {
-          const { seriesName, color } = dataPoint;
+          const { seriesName, color, dataIndex } = dataPoint;
           const value = yVal.toFixed(3);
           this.tooltip.content.push({
             name: seriesName,
+            dataIndex,
             value,
             color,
           });
@@ -306,23 +339,27 @@ export default {
       </template>
       <template v-else>
         <template slot="tooltipTitle">
-          <div class="text-nowrap">
-            {{ tooltip.title }}
-          </div>
+          <slot name="tooltipTitle">
+            <div class="text-nowrap">
+              {{ tooltip.title }}
+            </div>
+          </slot>
         </template>
         <template slot="tooltipContent">
-          <div
-            v-for="(content, key) in tooltip.content"
-            :key="key"
-            class="d-flex justify-content-between"
-          >
-            <gl-chart-series-label :color="isMultiSeries ? content.color : ''">
-              {{ content.name }}
-            </gl-chart-series-label>
-            <div class="prepend-left-32">
-              {{ content.value }}
+          <slot name="tooltipContent" :tooltip="tooltip">
+            <div
+              v-for="(content, key) in tooltip.content"
+              :key="key"
+              class="d-flex justify-content-between"
+            >
+              <gl-chart-series-label :color="isMultiSeries ? content.color : ''">
+                {{ content.name }}
+              </gl-chart-series-label>
+              <div class="prepend-left-32">
+                {{ content.value }}
+              </div>
             </div>
-          </div>
+          </slot>
         </template>
       </template>
     </component>

app/assets/javascripts/monitoring/components/panel_type.vue

@@ -11,6 +11,7 @@ import {
 } from '@gitlab/ui';
 import Icon from '~/vue_shared/components/icon.vue';
 import MonitorTimeSeriesChart from './charts/time_series.vue';
+import MonitorAnomalyChart from './charts/anomaly.vue';
 import MonitorSingleStatChart from './charts/single_stat.vue';
 import MonitorEmptyChart from './charts/empty_chart.vue';
 import TrackEventDirective from '~/vue_shared/directives/track_event';
@@ -19,7 +20,6 @@ import { downloadCSVOptions, generateLinkToChartOptions } from '../utils';
 export default {
   components: {
     MonitorSingleStatChart,
-    MonitorTimeSeriesChart,
     MonitorEmptyChart,
     Icon,
     GlDropdown,
@@ -67,6 +67,12 @@ export default {
       const data = new Blob([this.csvText], { type: 'text/plain' });
       return window.URL.createObjectURL(data);
     },
+    monitorChartComponent() {
+      if (this.isPanelType('anomaly-chart')) {
+        return MonitorAnomalyChart;
+      }
+      return MonitorTimeSeriesChart;
+    },
   },
   methods: {
     getGraphAlerts(queries) {
@@ -93,13 +99,14 @@ export default {
     v-if="isPanelType('single-stat') && graphDataHasMetrics"
     :graph-data="graphData"
   />
-  <monitor-time-series-chart
+  <component
+    :is="monitorChartComponent"
     v-else-if="graphDataHasMetrics"
     :graph-data="graphData"
     :deployment-data="deploymentData"
     :project-path="projectPath"
     :thresholds="getGraphAlertValues(graphData.queries)"
-    group-id="monitor-area-chart"
+    group-id="panel-type-chart"
   >
     <div class="d-flex align-items-center">
       <alert-widget
@@ -141,6 +148,6 @@ export default {
         </gl-dropdown-item>
       </gl-dropdown>
     </div>
-  </monitor-time-series-chart>
+  </component>
   <monitor-empty-chart v-else :graph-title="graphData.title" />
 </template>

app/assets/javascripts/monitoring/constants.js

@@ -14,13 +14,28 @@ export const graphTypes = {
 };
 
 export const symbolSizes = {
+  anomaly: 8,
   default: 14,
 };
 
+export const areaOpacityValues = {
+  default: 0.2,
+};
+
+export const colorValues = {
+  primaryColor: '#1f78d1', // $blue-500 (see variables.scss)
+  anomalySymbol: '#db3b21',
+  anomalyAreaColor: '#1f78d1',
+};
+
 export const lineTypes = {
   default: 'solid',
 };
 
+export const lineWidths = {
+  default: 2,
+};
+
 export const timeWindows = {
   thirtyMinutes: __('30 minutes'),
   threeHours: __('3 hours'),

app/assets/javascripts/monitoring/utils.js

@@ -131,4 +131,20 @@ export const downloadCSVOptions = title => {
   return { category, action, label: 'Chart title', property: title };
 };
 
+/**
+ * This function validates the graph data contains exactly 3 queries plus
+ * value validations from graphDataValidatorForValues.
+ * @param {Object} isValues
+ * @param {Object} graphData  the graph data response from a prometheus request
+ * @returns {boolean} true if the data is valid
+ */
+export const graphDataValidatorForAnomalyValues = graphData => {
+  const anomalySeriesCount = 3; // metric, upper, lower
+  return (
+    graphData.queries &&
+    graphData.queries.length === anomalySeriesCount &&
+    graphDataValidatorForValues(false, graphData)
+  );
+};
+
 export default {};

app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue

 <script>
-/* eslint-disable @gitlab/vue-i18n/no-bare-strings */
 import settingsMixin from 'ee_else_ce/pages/projects/shared/permissions/mixins/settings_pannel_mixin';
-import { __ } from '~/locale';
+import { s__ } from '~/locale';
 import projectFeatureSetting from './project_feature_setting.vue';
 import projectFeatureToggle from '~/vue_shared/components/toggle_button.vue';
 import projectSettingRow from './project_setting_row.vue';
@@ -13,7 +12,7 @@ import {
 } from '../constants';
 import { toggleHiddenClassBySelector } from '../external';
 
-const PAGE_FEATURE_ACCESS_LEVEL = __('Everyone');
+const PAGE_FEATURE_ACCESS_LEVEL = s__('ProjectSettings|Everyone');
 
 export default {
   components: {
@@ -207,7 +206,10 @@ export default {
 <template>
   <div>
     <div class="project-visibility-setting">
-      <project-setting-row :help-path="visibilityHelpPath" label="Project visibility">
+      <project-setting-row
+        :help-path="visibilityHelpPath"
+        :label="s__('ProjectSettings|Project visibility')"
+      >
         <div class="project-feature-controls">
           <div class="select-wrapper">
             <select
@@ -220,17 +222,17 @@ export default {
               <option
                 :value="visibilityOptions.PRIVATE"
                 :disabled="!visibilityAllowed(visibilityOptions.PRIVATE)"
-                >{{ __('Private') }}</option
+                >{{ s__('ProjectSettings|Private') }}</option
               >
               <option
                 :value="visibilityOptions.INTERNAL"
                 :disabled="!visibilityAllowed(visibilityOptions.INTERNAL)"
-                >{{ __('Internal') }}</option
+                >{{ s__('ProjectSettings|Internal') }}</option
               >
               <option
                 :value="visibilityOptions.PUBLIC"
                 :disabled="!visibilityAllowed(visibilityOptions.PUBLIC)"
-                >{{ __('Public') }}</option
+                >{{ s__('ProjectSettings|Public') }}</option
               >
             </select>
             <i aria-hidden="true" data-hidden="true" class="fa fa-chevron-down"></i>
@@ -243,14 +245,15 @@ export default {
             type="hidden"
             name="project[request_access_enabled]"
           />
-          <input v-model="requestAccessEnabled" type="checkbox" /> Allow users to request access
+          <input v-model="requestAccessEnabled" type="checkbox" />
+          {{ s__('ProjectSettings|Allow users to request access') }}
         </label>
       </project-setting-row>
     </div>
     <div :class="{ 'highlight-changes': highlightChangesClass }" class="project-feature-settings">
       <project-setting-row
-        label="Issues"
-        help-text="Lightweight issue tracking system for this project"
+        :label="s__('ProjectSettings|Issues')"
+        :help-text="s__('ProjectSettings|Lightweight issue tracking system for this project')"
       >
         <project-feature-setting
           v-model="issuesAccessLevel"
@@ -258,7 +261,10 @@ export default {
           name="project[project_feature_attributes][issues_access_level]"
         />
       </project-setting-row>
-      <project-setting-row label="Repository" help-text="View and edit files in this project">
+      <project-setting-row
+        :label="s__('ProjectSettings|Repository')"
+        :help-text="s__('ProjectSettings|View and edit files in this project')"
+      >
         <project-feature-setting
           v-model="repositoryAccessLevel"
           :options="featureAccessLevelOptions"
@@ -267,8 +273,8 @@ export default {
       </project-setting-row>
       <div class="project-feature-setting-group">
         <project-setting-row
-          label="Merge requests"
-          help-text="Submit changes to be merged upstream"
+          :label="s__('ProjectSettings|Merge requests')"
+          :help-text="s__('ProjectSettings|Submit changes to be merged upstream')"
         >
           <project-feature-setting
             v-model="mergeRequestsAccessLevel"
@@ -277,7 +283,10 @@ export default {
             name="project[project_feature_attributes][merge_requests_access_level]"
           />
         </project-setting-row>
-        <project-setting-row label="Pipelines" help-text="Build, test, and deploy your changes">
+        <project-setting-row
+          :label="s__('ProjectSettings|Pipelines')"
+          :help-text="s__('ProjectSettings|Build, test, and deploy your changes')"
+        >
           <project-feature-setting
             v-model="buildsAccessLevel"
             :options="repoFeatureAccessLevelOptions"
@@ -288,11 +297,17 @@ export default {
         <project-setting-row
           v-if="registryAvailable"
           :help-path="registryHelpPath"
-          label="Container registry"
-          help-text="Every project can have its own space to store its Docker images"
+          :label="s__('ProjectSettings|Container registry')"
+          :help-text="
+            s__('ProjectSettings|Every project can have its own space to store its Docker images')
+          "
         >
           <div v-if="showContainerRegistryPublicNote" class="text-muted">
-            {{ __('Note: the container registry is always visible when a project is public') }}
+            {{
+              s__(
+                'ProjectSettings|Note: the container registry is always visible when a project is public',
+              )
+            }}
           </div>
           <project-feature-toggle
             v-model="containerRegistryEnabled"
@@ -303,8 +318,10 @@ export default {
         <project-setting-row
           v-if="lfsAvailable"
           :help-path="lfsHelpPath"
-          label="Git Large File Storage"
-          help-text="Manages large files such as audio, video, and graphics files"
+          :label="s__('ProjectSettings|Git Large File Storage')"
+          :help-text="
+            s__('ProjectSettings|Manages large files such as audio, video, and graphics files')
+          "
         >
           <project-feature-toggle
             v-model="lfsEnabled"
@@ -315,8 +332,10 @@ export default {
         <project-setting-row
           v-if="packagesAvailable"
           :help-path="packagesHelpPath"
-          label="Packages"
-          help-text="Every project can have its own space to store its packages"
+          :label="s__('ProjectSettings|Packages')"
+          :help-text="
+            s__('ProjectSettings|Every project can have its own space to store its packages')
+          "
         >
           <project-feature-toggle
             v-model="packagesEnabled"
@@ -325,7 +344,10 @@ export default {
           />
         </project-setting-row>
       </div>
-      <project-setting-row label="Wiki" help-text="Pages for project documentation">
+      <project-setting-row
+        :label="s__('ProjectSettings|Wiki')"
+        :help-text="s__('ProjectSettings|Pages for project documentation')"
+      >
         <project-feature-setting
           v-model="wikiAccessLevel"
           :options="featureAccessLevelOptions"
@@ -333,8 +355,8 @@ export default {
         />
       </project-setting-row>
       <project-setting-row
-        label="Snippets"
-        help-text="Share code pastes with others out of Git repository"
+        :label="s__('ProjectSettings|Snippets')"
+        :help-text="s__('ProjectSettings|Share code pastes with others out of Git repository')"
       >
         <project-feature-setting
           v-model="snippetsAccessLevel"
@@ -346,7 +368,9 @@ export default {
         v-if="pagesAvailable && pagesAccessControlEnabled"
         :help-path="pagesHelpPath"
         :label="s__('ProjectSettings|Pages')"
-        :help-text="__('With GitLab Pages you can host your static websites on GitLab')"
+        :help-text="
+          s__('ProjectSettings|With GitLab Pages you can host your static websites on GitLab')
+        "
       >
         <project-feature-setting
           v-model="pagesAccessLevel"
@@ -358,10 +382,13 @@ export default {
     <project-setting-row v-if="canDisableEmails" class="mb-3">
       <label class="js-emails-disabled">
         <input :value="emailsDisabled" type="hidden" name="project[emails_disabled]" />
-        <input v-model="emailsDisabled" type="checkbox" /> {{ __('Disable email notifications') }}
+        <input v-model="emailsDisabled" type="checkbox" />
+        {{ s__('ProjectSettings|Disable email notifications') }}
       </label>
       <span class="form-text text-muted">{{
-        __('This setting will override user notification preferences for all project members.')
+        s__(
+          'ProjectSettings|This setting will override user notification preferences for all project members.',
+        )
       }}</span>
     </project-setting-row>
   </div>

app/assets/javascripts/repository/components/table/row.vue

@@ -97,11 +97,13 @@ export default {
     },
   },
   methods: {
-    openRow() {
-      if (this.isFolder) {
+    openRow(e) {
+      if (e.target.tagName === 'A') return;
+
+      if (this.isFolder && !e.metaKey) {
         this.$router.push(this.routerLinkTo);
       } else {
-        visitUrl(this.url);
+        visitUrl(this.url, e.metaKey);
       }
     },
   },

app/controllers/groups/group_links_controller.rb

+# frozen_string_literal: true
+
+class Groups::GroupLinksController < Groups::ApplicationController
+  before_action :check_feature_flag!
+  before_action :authorize_admin_group!
+
+  def create
+    shared_with_group = Group.find(params[:shared_with_group_id]) if params[:shared_with_group_id].present?
+
+    if shared_with_group
+      result = Groups::GroupLinks::CreateService
+                 .new(shared_with_group, current_user, group_link_create_params)
+                 .execute(group)
+
+      return render_404 if result[:http_status] == 404
+
+      flash[:alert] = result[:message] if result[:status] == :error
+    else
+      flash[:alert] = _('Please select a group.')
+    end
+
+    redirect_to group_group_members_path(group)
+  end
+
+  private
+
+  def group_link_create_params
+    params.permit(:shared_group_access, :expires_at)
+  end
+
+  def check_feature_flag!
+    render_404 unless Feature.enabled?(:share_group_with_group)
+  end
+end

app/models/concerns/worker_attributes.rb

@@ -3,6 +3,10 @@
 module WorkerAttributes
   extend ActiveSupport::Concern
 
+  # Resource boundaries that workers can declare through the
+  # `worker_resource_boundary` attribute
+  VALID_RESOURCE_BOUNDARIES = [:memory, :cpu, :unknown].freeze
+
   class_methods do
     def feature_category(value)
       raise "Invalid category. Use `feature_category_not_owned!` to mark a worker as not owned" if value == :not_owned
@@ -24,6 +28,48 @@ module WorkerAttributes
       get_worker_attribute(:feature_category) == :not_owned
     end
 
+    # This should be set for jobs that need to be run immediately, or, if
+    # they are delayed, risk creating inconsistencies in the application
+    # that could being perceived by the user as incorrect behavior
+    # (ie, a bug)
+    # See doc/development/sidekiq_style_guide.md#Latency-Sensitive-Jobs
+    # for details
+    def latency_sensitive_worker!
+      worker_attributes[:latency_sensitive] = true
+    end
+
+    # Returns a truthy value if the worker is latency sensitive.
+    # See doc/development/sidekiq_style_guide.md#Latency-Sensitive-Jobs
+    # for details
+    def latency_sensitive_worker?
+      worker_attributes[:latency_sensitive]
+    end
+
+    # Set this attribute on a job when it will call to services outside of the
+    # application, such as 3rd party applications, other k8s clusters etc See
+    # doc/development/sidekiq_style_guide.md#Jobs-with-External-Dependencies for
+    # details
+    def worker_has_external_dependencies!
+      worker_attributes[:external_dependencies] = true
+    end
+
+    # Returns a truthy value if the worker has external dependencies.
+    # See doc/development/sidekiq_style_guide.md#Jobs-with-External-Dependencies
+    # for details
+    def worker_has_external_dependencies?
+      worker_attributes[:external_dependencies]
+    end
+
+    def worker_resource_boundary(boundary)
+      raise "Invalid boundary" unless VALID_RESOURCE_BOUNDARIES.include? boundary
+
+      worker_attributes[:resource_boundary] = boundary
+    end
+
+    def get_worker_resource_boundary
+      worker_attributes[:resource_boundary] || :unknown
+    end
+
     protected
 
     # Returns a worker attribute declared on this class or its parent class.

app/models/group.rb

@@ -30,6 +30,10 @@ class Group < Namespace
   has_many :members_and_requesters, as: :source, class_name: 'GroupMember'
 
   has_many :milestones
+  has_many :shared_group_links, foreign_key: :shared_with_group_id, class_name: 'GroupGroupLink'
+  has_many :shared_with_group_links, foreign_key: :shared_group_id, class_name: 'GroupGroupLink'
+  has_many :shared_groups, through: :shared_group_links, source: :shared_group
+  has_many :shared_with_groups, through: :shared_with_group_links, source: :shared_with_group
   has_many :project_group_links, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
   has_many :shared_projects, through: :project_group_links, source: :project
 
@@ -376,11 +380,12 @@ class Group < Namespace
 
     return GroupMember::OWNER if user.admin?
 
-    members_with_parents
-      .where(user_id: user)
-      .reorder(access_level: :desc)
-      .first&.
-      access_level || GroupMember::NO_ACCESS
+    max_member_access = members_with_parents.where(user_id: user)
+                                            .reorder(access_level: :desc)
+                                            .first
+                                            &.access_level
+
+    max_member_access || max_member_access_for_user_from_shared_groups(user) || GroupMember::NO_ACCESS
   end
 
   def mattermost_team_params
@@ -474,6 +479,26 @@ class Group < Namespace
     errors.add(:visibility_level, "#{visibility} is not allowed since there are sub-groups with higher visibility.")
   end
 
+  def max_member_access_for_user_from_shared_groups(user)
+    return unless Feature.enabled?(:share_group_with_group)
+
+    group_group_link_table = GroupGroupLink.arel_table
+    group_member_table = GroupMember.arel_table
+
+    group_group_links_query = GroupGroupLink.where(shared_group_id: self_and_ancestors_ids)
+    cte = Gitlab::SQL::CTE.new(:group_group_links_cte, group_group_links_query)
+
+    link = GroupGroupLink
+             .with(cte.to_arel)
+             .from([group_member_table, cte.alias_to(group_group_link_table)])
+             .where(group_member_table[:user_id].eq(user.id))
+             .where(group_member_table[:source_id].eq(group_group_link_table[:shared_with_group_id]))
+             .reorder(Arel::Nodes::Descending.new(group_group_link_table[:group_access]))
+             .first
+
+    link&.group_access
+  end
+
   def self.groups_including_descendants_by(group_ids)
     Gitlab::ObjectHierarchy
       .new(Group.where(id: group_ids))

app/models/group_group_link.rb

+# frozen_string_literal: true
+
+class GroupGroupLink < ApplicationRecord
+  include Expirable
+
+  belongs_to :shared_group, class_name: 'Group', foreign_key: :shared_group_id
+  belongs_to :shared_with_group, class_name: 'Group', foreign_key: :shared_with_group_id
+
+  validates :shared_group, presence: true
+  validates :shared_group_id, uniqueness: { scope: [:shared_with_group_id],
+                                            message: _('The group has already been shared with this group') }
+  validates :shared_with_group, presence: true
+  validates :group_access, inclusion: { in: Gitlab::Access.values },
+                           presence: true
+
+  def self.access_options
+    Gitlab::Access.options
+  end
+
+  def self.default_access
+    Gitlab::Access::DEVELOPER
+  end
+end

app/services/groups/group_links/create_service.rb

+# frozen_string_literal: true
+
+module Groups
+  module GroupLinks
+    class CreateService < BaseService
+      def execute(shared_group)
+        unless group && shared_group &&
+               can?(current_user, :admin_group, shared_group) &&
+               can?(current_user, :read_group, group)
+          return error('Not Found', 404)
+        end
+
+        link = GroupGroupLink.new(
+          shared_group: shared_group,
+          shared_with_group: group,
+          group_access: params[:shared_group_access],
+          expires_at: params[:expires_at]
+        )
+
+        if link.save
+          group.refresh_members_authorized_projects
+          success(link: link)
+        else
+          error(link.errors.full_messages.to_sentence, 409)
+        end
+      end
+    end
+  end
+end

app/views/ci/variables/_header.html.haml

@@ -7,5 +7,5 @@
 %button.btn.btn-default.js-settings-toggle{ type: 'button' }
   = expanded ? _('Collapse') : _('Expand')
 
-%p.append-bottom-0
+%p
   = render "ci/variables/content"

app/workers/authorized_projects_worker.rb

@@ -5,6 +5,7 @@ class AuthorizedProjectsWorker
   prepend WaitableWorker
 
   feature_category :authentication_and_authorization
+  latency_sensitive_worker!
 
   # This is a workaround for a Ruby 2.3.7 bug. rspec-mocks cannot restore the
   # visibility of prepended modules. See https://github.com/rspec/rspec-mocks/issues/1231

app/workers/build_finished_worker.rb

@@ -5,6 +5,8 @@ class BuildFinishedWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_hooks_worker.rb

@@ -6,6 +6,7 @@ class BuildHooksWorker
 
   queue_namespace :pipeline_hooks
   feature_category :continuous_integration
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_queue_worker.rb

@@ -6,6 +6,8 @@ class BuildQueueWorker
 
   queue_namespace :pipeline_processing
   feature_category :continuous_integration
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_success_worker.rb

@@ -5,6 +5,7 @@ class BuildSuccessWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/chat_notification_worker.rb

@@ -4,6 +4,11 @@ class ChatNotificationWorker
   include ApplicationWorker
 
   feature_category :chatops
+  latency_sensitive_worker!
+  # TODO: break this into multiple jobs
+  # as the `responder` uses external dependencies
+  # See https://gitlab.com/gitlab-com/gl-infra/scalability/issues/34
+  # worker_has_external_dependencies!
 
   RESCHEDULE_INTERVAL = 2.seconds
 

app/workers/ci/build_schedule_worker.rb

@@ -7,6 +7,7 @@ module Ci
 
     queue_namespace :pipeline_processing
     feature_category :continuous_integration
+    worker_resource_boundary :cpu
 
     def perform(build_id)
       ::Ci::Build.find_by_id(build_id).try do |build|

app/workers/cluster_install_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterInstallAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::InstallService.new(app).execute

app/workers/cluster_patch_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterPatchAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::PatchService.new(app).execute

app/workers/cluster_project_configure_worker.rb

@@ -4,6 +4,8 @@ class ClusterProjectConfigureWorker
   include ApplicationWorker
   include ClusterQueue
 
+  worker_has_external_dependencies!
+
   def perform(project_id)
     # Scheduled for removal in https://gitlab.com/gitlab-org/gitlab-foss/issues/59319
   end

app/workers/cluster_provision_worker.rb

@@ -4,6 +4,8 @@ class ClusterProvisionWorker
   include ApplicationWorker
   include ClusterQueue
 
+  worker_has_external_dependencies!
+
   def perform(cluster_id)
     Clusters::Cluster.find_by_id(cluster_id).try do |cluster|
       cluster.provider.try do |provider|

app/workers/cluster_upgrade_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterUpgradeAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::UpgradeService.new(app).execute

app/workers/cluster_wait_for_app_installation_worker.rb

@@ -8,6 +8,9 @@ class ClusterWaitForAppInstallationWorker
   INTERVAL = 10.seconds
   TIMEOUT = 20.minutes
 
+  worker_has_external_dependencies!
+  worker_resource_boundary :cpu
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::CheckInstallationProgressService.new(app).execute

app/workers/cluster_wait_for_ingress_ip_address_worker.rb

@@ -5,6 +5,8 @@ class ClusterWaitForIngressIpAddressWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::CheckIngressIpAddressService.new(app).execute

app/workers/clusters/applications/uninstall_worker.rb

@@ -7,6 +7,8 @@ module Clusters
       include ClusterQueue
       include ClusterApplications
 
+      worker_has_external_dependencies!
+
       def perform(app_name, app_id)
         find_application(app_name, app_id) do |app|
           Clusters::Applications::UninstallService.new(app).execute

app/workers/clusters/applications/wait_for_uninstall_app_worker.rb

@@ -10,6 +10,9 @@ module Clusters
       INTERVAL = 10.seconds
       TIMEOUT = 20.minutes
 
+      worker_has_external_dependencies!
+      worker_resource_boundary :cpu
+
       def perform(app_name, app_id)
         find_application(app_name, app_id) do |app|
           Clusters::Applications::CheckUninstallProgressService.new(app).execute

app/workers/concerns/gitlab/github_import/object_importer.rb

@@ -14,6 +14,7 @@ module Gitlab
         include NotifyUponDeath
 
         feature_category :importers
+        worker_has_external_dependencies!
       end
 
       # project - An instance of `Project` to import the data into.

app/workers/create_pipeline_worker.rb

@@ -6,6 +6,8 @@ class CreatePipelineWorker
 
   queue_namespace :pipeline_creation
   feature_category :continuous_integration
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(project_id, user_id, ref, source, params = {})
     project = Project.find(project_id)

app/workers/deployments/finished_worker.rb

@@ -6,6 +6,7 @@ module Deployments
 
     queue_namespace :deployment
     feature_category :continuous_delivery
+    worker_resource_boundary :cpu
 
     def perform(deployment_id)
       Deployment.find_by_id(deployment_id).try(:execute_hooks)

app/workers/deployments/success_worker.rb

@@ -6,6 +6,7 @@ module Deployments
 
     queue_namespace :deployment
     feature_category :continuous_delivery
+    worker_resource_boundary :cpu
 
     def perform(deployment_id)
       Deployment.find_by_id(deployment_id).try do |deployment|

app/workers/email_receiver_worker.rb

@@ -4,6 +4,7 @@ class EmailReceiverWorker
   include ApplicationWorker
 
   feature_category :issue_tracking
+  latency_sensitive_worker!
 
   def perform(raw)
     return unless Gitlab::IncomingEmail.enabled?

app/workers/emails_on_push_worker.rb

@@ -6,6 +6,8 @@ class EmailsOnPushWorker
   attr_reader :email, :skip_premailer
 
   feature_category :source_code_management
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(project_id, recipients, push_data, options = {})
     options.symbolize_keys!

app/workers/expire_job_cache_worker.rb

@@ -5,6 +5,7 @@ class ExpireJobCacheWorker
   include PipelineQueue
 
   queue_namespace :pipeline_cache
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(job_id)

app/workers/expire_pipeline_cache_worker.rb

@@ -5,6 +5,8 @@ class ExpirePipelineCacheWorker
   include PipelineQueue
 
   queue_namespace :pipeline_cache
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id)

app/workers/gitlab_shell_worker.rb

@@ -5,6 +5,7 @@ class GitlabShellWorker
   include Gitlab::ShellAdapter
 
   feature_category :source_code_management
+  latency_sensitive_worker!
 
   def perform(action, *arg)
     gitlab_shell.__send__(action, *arg) # rubocop:disable GitlabSecurity/PublicSend

app/workers/import_issues_csv_worker.rb

@@ -4,6 +4,7 @@ class ImportIssuesCsvWorker
   include ApplicationWorker
 
   feature_category :issue_tracking
+  worker_resource_boundary :cpu
 
   sidekiq_retries_exhausted do |job|
     Upload.find(job['args'][2]).destroy

app/workers/mail_scheduler/notification_service_worker.rb

@@ -8,6 +8,7 @@ module MailScheduler
     include MailSchedulerQueue
 
     feature_category :issue_tracking
+    worker_resource_boundary :cpu
 
     def perform(meth, *args)
       check_arguments!(args)

app/workers/merge_worker.rb

@@ -4,6 +4,7 @@ class MergeWorker
   include ApplicationWorker
 
   feature_category :source_code_management
+  latency_sensitive_worker!
 
   def perform(merge_request_id, current_user_id, params)
     params = params.with_indifferent_access

app/workers/namespaces/prune_aggregation_schedules_worker.rb

@@ -6,6 +6,7 @@ module Namespaces
     include CronjobQueue
 
     feature_category :source_code_management
+    worker_resource_boundary :cpu
 
     # Worker to prune pending rows on Namespace::AggregationSchedule
     # It's scheduled to run once a day at 1:05am.

app/workers/new_issue_worker.rb

@@ -5,6 +5,8 @@ class NewIssueWorker
   include NewIssuable
 
   feature_category :issue_tracking
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(issue_id, user_id)
     return unless objects_found?(issue_id, user_id)

app/workers/new_merge_request_worker.rb

@@ -5,6 +5,8 @@ class NewMergeRequestWorker
   include NewIssuable
 
   feature_category :source_code_management
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(merge_request_id, user_id)
     return unless objects_found?(merge_request_id, user_id)

app/workers/new_note_worker.rb

@@ -4,6 +4,8 @@ class NewNoteWorker
   include ApplicationWorker
 
   feature_category :issue_tracking
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # Keep extra parameter to preserve backwards compatibility with
   # old `NewNoteWorker` jobs (can remove later)

app/workers/object_pool/join_worker.rb

@@ -5,6 +5,8 @@ module ObjectPool
     include ApplicationWorker
     include ObjectPoolQueue
 
+    worker_resource_boundary :cpu
+
     # The use of pool id is deprecated. Keeping the argument allows old jobs to
     # still be performed.
     def perform(_pool_id, project_id)

app/workers/pages_domain_removal_cron_worker.rb

@@ -5,6 +5,7 @@ class PagesDomainRemovalCronWorker
   include CronjobQueue
 
   feature_category :pages
+  worker_resource_boundary :cpu
 
   def perform
     PagesDomain.for_removal.find_each do |domain|

app/workers/pipeline_hooks_worker.rb

@@ -5,6 +5,8 @@ class PipelineHooksWorker
   include PipelineQueue
 
   queue_namespace :pipeline_hooks
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id)

app/workers/pipeline_metrics_worker.rb

@@ -4,6 +4,8 @@ class PipelineMetricsWorker
   include ApplicationWorker
   include PipelineQueue
 
+  latency_sensitive_worker!
+
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id)
     Ci::Pipeline.find_by(id: pipeline_id).try do |pipeline|

app/workers/pipeline_notification_worker.rb

@@ -4,6 +4,9 @@ class PipelineNotificationWorker
   include ApplicationWorker
   include PipelineQueue
 
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
+
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id, recipients = nil)
     pipeline = Ci::Pipeline.find_by(id: pipeline_id)

app/workers/pipeline_process_worker.rb

@@ -6,6 +6,7 @@ class PipelineProcessWorker
 
   queue_namespace :pipeline_processing
   feature_category :continuous_integration
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id, build_ids = nil)

app/workers/pipeline_schedule_worker.rb

@@ -5,6 +5,7 @@ class PipelineScheduleWorker
   include CronjobQueue
 
   feature_category :continuous_integration
+  worker_resource_boundary :cpu
 
   def perform
     Ci::PipelineSchedule.runnable_schedules.preloaded.find_in_batches do |schedules|

app/workers/pipeline_success_worker.rb

@@ -5,6 +5,7 @@ class PipelineSuccessWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
 
   def perform(pipeline_id)
     # no-op

app/workers/pipeline_update_worker.rb

@@ -5,6 +5,7 @@ class PipelineUpdateWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(pipeline_id)

app/workers/post_receive.rb

@@ -4,6 +4,8 @@ class PostReceive
   include ApplicationWorker
 
   feature_category :source_code_management
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(gl_repository, identifier, changes, push_options = {})
     project, repo_type = Gitlab::GlRepository.parse(gl_repository)

app/workers/process_commit_worker.rb

@@ -11,6 +11,7 @@ class ProcessCommitWorker
   include ApplicationWorker
 
   feature_category :source_code_management
+  latency_sensitive_worker!
 
   # project_id - The ID of the project this commit belongs to.
   # user_id - The ID of the user that pushed the commit.

app/workers/project_cache_worker.rb

@@ -3,6 +3,9 @@
 # Worker for updating any project specific caches.
 class ProjectCacheWorker
   include ApplicationWorker
+
+  latency_sensitive_worker!
+
   LEASE_TIMEOUT = 15.minutes.to_i
 
   feature_category :source_code_management

app/workers/project_export_worker.rb

@@ -6,6 +6,7 @@ class ProjectExportWorker
 
   sidekiq_options retry: 3
   feature_category :source_code_management
+  worker_resource_boundary :memory
 
   def perform(current_user_id, project_id, after_export_strategy = {}, params = {})
     current_user = User.find(current_user_id)

app/workers/project_service_worker.rb

@@ -5,6 +5,7 @@ class ProjectServiceWorker
 
   sidekiq_options dead: false
   feature_category :integrations
+  worker_has_external_dependencies!
 
   def perform(hook_id, data)
     data = data.with_indifferent_access

app/workers/reactive_caching_worker.rb

@@ -5,6 +5,14 @@ class ReactiveCachingWorker
 
   feature_category_not_owned!
 
+  # TODO: The reactive caching worker should be split into
+  # two different workers, one for latency_sensitive jobs without external dependencies
+  # and another worker without latency_sensitivity, but with external dependencies
+  # https://gitlab.com/gitlab-com/gl-infra/scalability/issues/34
+  # This worker should also have `worker_has_external_dependencies!` enabled
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
+
   def perform(class_name, id, *args)
     klass = begin
       class_name.constantize

app/workers/remove_expired_members_worker.rb

@@ -5,6 +5,7 @@ class RemoveExpiredMembersWorker
   include CronjobQueue
 
   feature_category :authentication_and_authorization
+  worker_resource_boundary :cpu
 
   def perform
     Member.expired.find_each do |member|

app/workers/repository_import_worker.rb

@@ -7,6 +7,7 @@ class RepositoryImportWorker
   include ProjectImportOptions
 
   feature_category :importers
+  worker_has_external_dependencies!
 
   # technical debt: https://gitlab.com/gitlab-org/gitlab/issues/33991
   sidekiq_options memory_killer_memory_growth_kb: ENV.fetch('MEMORY_KILLER_REPOSITORY_IMPORT_WORKER_MEMORY_GROWTH_KB', 50).to_i

app/workers/repository_update_remote_mirror_worker.rb

@@ -6,6 +6,8 @@ class RepositoryUpdateRemoteMirrorWorker
   include ApplicationWorker
   include Gitlab::ExclusiveLeaseHelpers
 
+  worker_has_external_dependencies!
+
   sidekiq_options retry: 3, dead: false
   feature_category :source_code_management
 

app/workers/stage_update_worker.rb

@@ -5,6 +5,7 @@ class StageUpdateWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(stage_id)

app/workers/stuck_ci_jobs_worker.rb

@@ -5,6 +5,7 @@ class StuckCiJobsWorker
   include CronjobQueue
 
   feature_category :continuous_integration
+  worker_resource_boundary :cpu
 
   EXCLUSIVE_LEASE_KEY = 'stuck_ci_builds_worker_lease'
 

app/workers/stuck_import_jobs_worker.rb

@@ -5,6 +5,7 @@ class StuckImportJobsWorker
   include CronjobQueue
 
   feature_category :importers
+  worker_resource_boundary :cpu
 
   IMPORT_JOBS_EXPIRATION = 15.hours.to_i
 

app/workers/update_head_pipeline_for_merge_request_worker.rb

@@ -6,6 +6,8 @@ class UpdateHeadPipelineForMergeRequestWorker
 
   queue_namespace :pipeline_processing
   feature_category :continuous_integration
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   def perform(merge_request_id)
     MergeRequest.find_by_id(merge_request_id).try do |merge_request|

app/workers/update_merge_requests_worker.rb

@@ -4,6 +4,8 @@ class UpdateMergeRequestsWorker
   include ApplicationWorker
 
   feature_category :source_code_management
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   LOG_TIME_THRESHOLD = 90 # seconds
 

app/workers/wait_for_cluster_creation_worker.rb

@@ -4,6 +4,8 @@ class WaitForClusterCreationWorker
   include ApplicationWorker
   include ClusterQueue
 
+  worker_has_external_dependencies!
+
   def perform(cluster_id)
     Clusters::Cluster.find_by_id(cluster_id).try do |cluster|
       cluster.provider.try do |provider|

app/workers/web_hook_worker.rb

@@ -4,6 +4,8 @@ class WebHookWorker
   include ApplicationWorker
 
   feature_category :integrations
+  worker_has_external_dependencies!
+
   sidekiq_options retry: 4, dead: false
 
   def perform(hook_id, data, hook_name)

changelogs/unreleased/32935-preventing-accidental-project-deletion-db-changes.yml

+---
+title: Add migrations and changes for soft-delete for projects
+merge_request: 18791
+author:
+type: added

changelogs/unreleased/33054-share_groups_with_groups.yml

+---
+title: Share groups with groups
+merge_request: 17117
+author:
+type: added

changelogs/unreleased/5366-display-anomaly-deviation-boundaries-on-dashboard-ce.yml

+---
+title: Added new chart component to display an anomaly boundary
+merge_request: 16530
+author:
+type: added

changelogs/unreleased/add-missing-bottom-padding-in-settings.yml

+---
+title: Add missing bottom padding in CI/CD settings
+merge_request: 19284
+author: George Tsiolis
+type: fixed

changelogs/unreleased/an-mark-jobs-as-latency-sensitive.yml

+---
+title: Attribute Sidekiq workers according to their workloads
+merge_request: 18066
+author:
+type: other

changelogs/unreleased/security-open-redirect-internalredirect.yml → changelogs/unreleased/security-remove-deploy-access-levels-on-project-group-link-deletion.yml

 ---
-title: Fixes a Open Redirect issue in `InternalRedirect`.
+title: Remove deploy access level when project/group link is deleted
 merge_request:
 author:
 type: security

config/routes/group.rb

@@ -62,6 +62,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
       delete :leave, on: :collection
     end
 
+    resources :group_links, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
+
     resources :uploads, only: [:create] do
       collection do
         get ":secret/:filename", action: :show, as: :show, constraints: { filename: %r{[^/]+} }

db/migrate/20180902070406_create_group_group_links.rb

+# frozen_string_literal: true
+
+class CreateGroupGroupLinks < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def up
+    create_table :group_group_links do |t|
+      t.timestamps_with_timezone null: false
+
+      t.references :shared_group, null: false,
+                                  index: false,
+                                  foreign_key: { on_delete: :cascade,
+                                                 to_table: :namespaces }
+      t.references :shared_with_group, null: false,
+                                       foreign_key: { on_delete: :cascade,
+                                                      to_table: :namespaces }
+      t.date :expires_at
+      t.index [:shared_group_id, :shared_with_group_id],
+              { unique: true,
+                name: 'index_group_group_links_on_shared_group_and_shared_with_group' }
+      t.integer :group_access, { limit: 2,
+                                 default: 30, # Gitlab::Access::DEVELOPER
+                                 null: false }
+    end
+  end
+
+  def down
+    drop_table :group_group_links
+  end
+end

db/migrate/20191003161031_add_mark_for_deletion_to_projects.rb

+# frozen_string_literal: true
+
+class AddMarkForDeletionToProjects < ActiveRecord::Migration[5.2]
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  def change
+    add_column :projects, :marked_for_deletion_at, :date
+    add_column :projects, :marked_for_deletion_by_user_id, :integer
+  end
+end

db/migrate/20191003161032_add_mark_for_deletion_indexes_to_projects.rb

+# frozen_string_literal: true
+
+class AddMarkForDeletionIndexesToProjects < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :projects, :users, column: :marked_for_deletion_by_user_id, on_delete: :nullify
+    add_concurrent_index :projects, :marked_for_deletion_by_user_id, where: 'marked_for_deletion_by_user_id IS NOT NULL'
+  end
+
+  def down
+    remove_foreign_key_if_exists :projects, column: :marked_for_deletion_by_user_id
+    remove_concurrent_index :projects, :marked_for_deletion_by_user_id
+  end
+end

db/migrate/20191011084019_add_project_deletion_adjourned_period_to_application_settings.rb

+# frozen_string_literal: true
+
+class AddProjectDeletionAdjournedPeriodToApplicationSettings < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  DEFAULT_NUMBER_OF_DAYS_BEFORE_REMOVAL = 7
+
+  def change
+    add_column :application_settings, :deletion_adjourned_period, :integer, default: DEFAULT_NUMBER_OF_DAYS_BEFORE_REMOVAL, null: false
+  end
+end

db/post_migrate/20190926180443_schedule_epic_issues_after_epics_move.rb

+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class ScheduleEpicIssuesAfterEpicsMove < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INTERVAL = 5.minutes.to_i
+  BATCH_SIZE = 100
+  MIGRATION = 'MoveEpicIssuesAfterEpics'
+
+  disable_ddl_transaction!
+
+  class Epic < ActiveRecord::Base
+    self.table_name = 'epics'
+
+    include ::EachBatch
+  end
+
+  def up
+    return unless ::Gitlab.ee?
+
+    Epic.each_batch(of: BATCH_SIZE) do |batch, index|
+      range = batch.pluck('MIN(id)', 'MAX(id)').first
+      delay = index * interval
+      BackgroundMigrationWorker.perform_in(delay, MIGRATION, *range)
+    end
+  end
+
+  def down
+    # no need
+  end
+end

db/schema.rb

@@ -343,6 +343,7 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
     t.string "custom_http_clone_url_root", limit: 511
     t.boolean "pendo_enabled", default: false, null: false
     t.string "pendo_url", limit: 255
+    t.integer "deletion_adjourned_period", default: 7, null: false
     t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id"
     t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id"
     t.index ["instance_administration_project_id"], name: "index_applicationsettings_on_instance_administration_project_id"
@@ -1820,6 +1821,17 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
     t.index ["key", "value"], name: "index_group_custom_attributes_on_key_and_value"
   end
 
+  create_table "group_group_links", force: :cascade do |t|
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+    t.bigint "shared_group_id", null: false
+    t.bigint "shared_with_group_id", null: false
+    t.date "expires_at"
+    t.integer "group_access", limit: 2, default: 30, null: false
+    t.index ["shared_group_id", "shared_with_group_id"], name: "index_group_group_links_on_shared_group_and_shared_with_group", unique: true
+    t.index ["shared_with_group_id"], name: "index_group_group_links_on_shared_with_group_id"
+  end
+
   create_table "historical_data", id: :serial, force: :cascade do |t|
     t.date "date", null: false
     t.integer "active_user_count"
@@ -3062,6 +3074,8 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
     t.integer "max_artifacts_size"
     t.string "pull_mirror_branch_prefix", limit: 50
     t.boolean "remove_source_branch_after_merge"
+    t.date "marked_for_deletion_at"
+    t.integer "marked_for_deletion_by_user_id"
     t.index "lower((name)::text)", name: "index_projects_on_lower_name"
     t.index ["archived", "pending_delete", "merge_requests_require_code_owner_approval"], name: "projects_requiring_code_owner_approval", where: "((pending_delete = false) AND (archived = false) AND (merge_requests_require_code_owner_approval = true))"
     t.index ["created_at"], name: "index_projects_on_created_at"
@@ -3074,6 +3088,7 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
     t.index ["last_repository_check_at"], name: "index_projects_on_last_repository_check_at", where: "(last_repository_check_at IS NOT NULL)"
     t.index ["last_repository_check_failed"], name: "index_projects_on_last_repository_check_failed"
     t.index ["last_repository_updated_at"], name: "index_projects_on_last_repository_updated_at"
+    t.index ["marked_for_deletion_by_user_id"], name: "index_projects_on_marked_for_deletion_by_user_id", where: "(marked_for_deletion_by_user_id IS NOT NULL)"
     t.index ["mirror_last_successful_update_at"], name: "index_projects_on_mirror_last_successful_update_at"
     t.index ["mirror_user_id"], name: "index_projects_on_mirror_user_id"
     t.index ["name"], name: "index_projects_on_name_trigram", opclass: :gin_trgm_ops, using: :gin
@@ -4220,6 +4235,8 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
   add_foreign_key "gpg_signatures", "projects", on_delete: :cascade
   add_foreign_key "grafana_integrations", "projects", on_delete: :cascade
   add_foreign_key "group_custom_attributes", "namespaces", column: "group_id", on_delete: :cascade
+  add_foreign_key "group_group_links", "namespaces", column: "shared_group_id", on_delete: :cascade
+  add_foreign_key "group_group_links", "namespaces", column: "shared_with_group_id", on_delete: :cascade
   add_foreign_key "identities", "saml_providers", name: "fk_aade90f0fc", on_delete: :cascade
   add_foreign_key "import_export_uploads", "projects", on_delete: :cascade
   add_foreign_key "index_statuses", "projects", name: "fk_74b2492545", on_delete: :cascade
@@ -4343,6 +4360,7 @@ ActiveRecord::Schema.define(version: 2019_10_26_124116) do
   add_foreign_key "project_statistics", "projects", on_delete: :cascade
   add_foreign_key "project_tracing_settings", "projects", on_delete: :cascade
   add_foreign_key "projects", "pool_repositories", name: "fk_6e5c14658a", on_delete: :nullify
+  add_foreign_key "projects", "users", column: "marked_for_deletion_by_user_id", name: "fk_25d8780d11", on_delete: :nullify
   add_foreign_key "prometheus_alert_events", "projects", on_delete: :cascade
   add_foreign_key "prometheus_alert_events", "prometheus_alerts", on_delete: :cascade
   add_foreign_key "prometheus_alerts", "environments", on_delete: :cascade

doc/development/code_review.md

@@ -368,7 +368,7 @@ Enterprise Edition instance. This has some implications:
       - [Background migrations](background_migrations.md) run in Sidekiq, and
         should only be done for migrations that would take an extreme amount of
         time at GitLab.com scale.
-1. **Sidekiq workers** [cannot change in a backwards-incompatible way](sidekiq_style_guide.md#removing-or-renaming-queues):
+1. **Sidekiq workers** [cannot change in a backwards-incompatible way](sidekiq_style_guide.md#sidekiq-compatibility-across-updates):
    1. Sidekiq queues are not drained before a deploy happens, so there will be
       workers in the queue from the previous version of GitLab.
    1. If you need to change a method signature, try to do so across two releases,

doc/topics/autodevops/index.md

@@ -969,7 +969,6 @@ The following table lists variables related to security tools.
 
 | **Variable**                            | **Description**                    |
 | `SAST_CONFIDENCE_LEVEL`                 | Minimum confidence level of security issues you want to be reported; `1` for Low, `2` for Medium, `3` for High. Defaults to `3`. |
-| `DS_DISABLE_REMOTE_CHECKS`              | Whether remote Dependency Scanning checks are disabled. Defaults to `"false"`. Set to `"true"` to disable checks that send data to GitLab central servers. [Read more about remote checks](../../user/application_security/dependency_scanning/index.md#remote-checks). |
 
 #### Disable jobs
 

doc/user/application_security/dependency_scanning/index.md

@@ -63,23 +63,6 @@ The following languages and dependency managers are supported.
 | Python ([poetry](https://poetry.eustace.io/)) | not currently ([issue](https://gitlab.com/gitlab-org/gitlab/issues/7006 "Support Poetry in Dependency Scanning")) | not available |
 | Ruby ([gem](https://rubygems.org/)) | yes | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [bundler-audit](https://github.com/rubysec/bundler-audit) |
 
-## Remote checks
-
-While some tools pull a local database to check vulnerabilities, some others
-like Gemnasium require sending data to GitLab central servers to analyze them:
-
-1. Gemnasium scans the dependencies of your project locally and sends a list of
-   packages to GitLab central servers.
-1. The servers return the list of known vulnerabilities for all versions of
-   these packages.
-1. The client picks up the relevant vulnerabilities by comparing with the versions
-   of the packages that are used by the project.
-
-The Gemnasium client does **NOT** send the exact package versions your project relies on.
-
-You can disable the remote checks by [using](#customizing-the-dependency-scanning-settings)
-the `DS_DISABLE_REMOTE_CHECKS` environment variable and setting it to `"true"`.
-
 ## Configuration
 
 For GitLab 11.9 and later, to enable Dependency Scanning, you must
@@ -116,7 +99,7 @@ include:
   template: Dependency-Scanning.gitlab-ci.yml
 
 variables:
-  DS_DISABLE_REMOTE_CHECKS: "true"
+  DS_PYTHON_VERSION: 2
 ```
 
 Because template is [evaluated before](../../../ci/yaml/README.md#include) the pipeline
@@ -150,7 +133,6 @@ using environment variables.
 | `DS_PYTHON_VERSION`                     | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)| |
 | `DS_PIP_DEPENDENCY_PATH`                | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) | |
 | `DS_DEFAULT_ANALYZERS`                  | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | |
-| `DS_DISABLE_REMOTE_CHECKS`              | Do not send any data to GitLab. Used in the [Gemnasium analyzer](#remote-checks). | |
 | `DS_PULL_ANALYZER_IMAGES`               | Pull the images from the Docker registry (set to `0` to disable). | |
 | `DS_EXCLUDED_PATHS`                     | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, file or folder paths. Parent directories will also match patterns. | `DS_EXCLUDED_PATHS=doc,spec` |
 | `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT`  | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | |

lib/gitlab/import_export/import_export.yml

@@ -148,6 +148,8 @@ excluded_attributes:
     - :emails_disabled
     - :max_pages_size
     - :max_artifacts_size
+    - :marked_for_deletion_at
+    - :marked_for_deletion_by_user_id
   namespaces:
     - :runners_token
     - :runners_token_encrypted

lib/gitlab/project_authorizations.rb

@@ -57,7 +57,7 @@ module Gitlab
     private
 
     # Builds a recursive CTE that gets all the groups the current user has
-    # access to, including any nested groups.
+    # access to, including any nested groups and any shared groups.
     def recursive_cte
       cte = Gitlab::SQL::RecursiveCTE.new(:namespaces_cte)
       members = Member.arel_table
@@ -68,20 +68,27 @@ module Gitlab
         .select([namespaces[:id], members[:access_level]])
         .except(:order)
 
+      if Feature.enabled?(:share_group_with_group)
+        # Namespaces shared with any of the group
+        cte << Group.select([namespaces[:id], 'group_group_links.group_access AS access_level'])
+                    .joins(join_group_group_links)
+                    .joins(join_members_on_group_group_links)
+      end
+
       # Sub groups of any groups the user is a member of.
       cte << Group.select([
           namespaces[:id],
           greatest(members[:access_level], cte.table[:access_level], 'access_level')
         ])
         .joins(join_cte(cte))
-        .joins(join_members)
+        .joins(join_members_on_namespaces)
         .except(:order)
 
       cte
     end
 
     # Builds a LEFT JOIN to join optional memberships onto the CTE.
-    def join_members
+    def join_members_on_namespaces
       members = Member.arel_table
       namespaces = Namespace.arel_table
 
@@ -94,6 +101,23 @@ module Gitlab
       Arel::Nodes::OuterJoin.new(members, Arel::Nodes::On.new(cond))
     end
 
+    def join_group_group_links
+      group_group_links = GroupGroupLink.arel_table
+      namespaces = Namespace.arel_table
+
+      cond = group_group_links[:shared_group_id].eq(namespaces[:id])
+      Arel::Nodes::InnerJoin.new(group_group_links, Arel::Nodes::On.new(cond))
+    end
+
+    def join_members_on_group_group_links
+      group_group_links = GroupGroupLink.arel_table
+      members = Member.arel_table
+
+      cond = group_group_links[:shared_with_group_id].eq(members[:source_id])
+                    .and(members[:user_id].eq(user.id))
+      Arel::Nodes::InnerJoin.new(members, Arel::Nodes::On.new(cond))
+    end
+
     # Builds an INNER JOIN to join namespaces onto the CTE.
     def join_cte(cte)
       namespaces = Namespace.arel_table

locale/gitlab.pot

@@ -5628,9 +5628,6 @@ msgstr ""
 msgid "Disable"
 msgstr ""
 
-msgid "Disable email notifications"
-msgstr ""
-
 msgid "Disable for this project"
 msgstr ""
 
@@ -11202,9 +11199,6 @@ msgstr ""
 msgid "Note: Consider asking your GitLab administrator to configure %{github_integration_link}, which will allow login via GitHub and allow importing repositories without generating a Personal Access Token."
 msgstr ""
 
-msgid "Note: the container registry is always visible when a project is public"
-msgstr ""
-
 msgid "NoteForm|Note"
 msgstr ""
 
@@ -12869,12 +12863,18 @@ msgstr ""
 msgid "ProjectSettings|All discussions must be resolved"
 msgstr ""
 
+msgid "ProjectSettings|Allow users to request access"
+msgstr ""
+
 msgid "ProjectSettings|Automatically resolve merge request diff discussions when they become outdated"
 msgstr ""
 
 msgid "ProjectSettings|Badges"
 msgstr ""
 
+msgid "ProjectSettings|Build, test, and deploy your changes"
+msgstr ""
+
 msgid "ProjectSettings|Choose your merge method, merge options, and merge checks."
 msgstr ""
 
@@ -12884,15 +12884,30 @@ msgstr ""
 msgid "ProjectSettings|Contact an admin to change this setting."
 msgstr ""
 
+msgid "ProjectSettings|Container registry"
+msgstr ""
+
 msgid "ProjectSettings|Customize your project badges."
 msgstr ""
 
+msgid "ProjectSettings|Disable email notifications"
+msgstr ""
+
 msgid "ProjectSettings|Enable 'Delete source branch' option by default"
 msgstr ""
 
 msgid "ProjectSettings|Every merge creates a merge commit"
 msgstr ""
 
+msgid "ProjectSettings|Every project can have its own space to store its Docker images"
+msgstr ""
+
+msgid "ProjectSettings|Every project can have its own space to store its packages"
+msgstr ""
+
+msgid "ProjectSettings|Everyone"
+msgstr ""
+
 msgid "ProjectSettings|Existing merge requests and protected branches are not affected"
 msgstr ""
 
@@ -12908,9 +12923,24 @@ msgstr ""
 msgid "ProjectSettings|Fast-forward merges only"
 msgstr ""
 
+msgid "ProjectSettings|Git Large File Storage"
+msgstr ""
+
+msgid "ProjectSettings|Internal"
+msgstr ""
+
+msgid "ProjectSettings|Issues"
+msgstr ""
+
 msgid "ProjectSettings|Learn more about badges."
 msgstr ""
 
+msgid "ProjectSettings|Lightweight issue tracking system for this project"
+msgstr ""
+
+msgid "ProjectSettings|Manages large files such as audio, video, and graphics files"
+msgstr ""
+
 msgid "ProjectSettings|Merge checks"
 msgstr ""
 
@@ -12929,24 +12959,60 @@ msgstr ""
 msgid "ProjectSettings|Merge pipelines will try to validate the post-merge result prior to merging"
 msgstr ""
 
+msgid "ProjectSettings|Merge requests"
+msgstr ""
+
 msgid "ProjectSettings|No merge commits are created"
 msgstr ""
 
+msgid "ProjectSettings|Note: the container registry is always visible when a project is public"
+msgstr ""
+
 msgid "ProjectSettings|Only signed commits can be pushed to this repository."
 msgstr ""
 
+msgid "ProjectSettings|Packages"
+msgstr ""
+
 msgid "ProjectSettings|Pages"
 msgstr ""
 
+msgid "ProjectSettings|Pages for project documentation"
+msgstr ""
+
+msgid "ProjectSettings|Pipelines"
+msgstr ""
+
 msgid "ProjectSettings|Pipelines must succeed"
 msgstr ""
 
 msgid "ProjectSettings|Pipelines need to be configured to enable this feature."
 msgstr ""
 
+msgid "ProjectSettings|Private"
+msgstr ""
+
+msgid "ProjectSettings|Project visibility"
+msgstr ""
+
+msgid "ProjectSettings|Public"
+msgstr ""
+
+msgid "ProjectSettings|Repository"
+msgstr ""
+
+msgid "ProjectSettings|Share code pastes with others out of Git repository"
+msgstr ""
+
 msgid "ProjectSettings|Show link to create/view merge request when pushing from the command line"
 msgstr ""
 
+msgid "ProjectSettings|Snippets"
+msgstr ""
+
+msgid "ProjectSettings|Submit changes to be merged upstream"
+msgstr ""
+
 msgid "ProjectSettings|These checks must pass before merge requests can be merged"
 msgstr ""
 
@@ -12959,15 +13025,27 @@ msgstr ""
 msgid "ProjectSettings|This setting will be applied to all projects unless overridden by an admin."
 msgstr ""
 
+msgid "ProjectSettings|This setting will override user notification preferences for all project members."
+msgstr ""
+
 msgid "ProjectSettings|This will dictate the commit history when you merge a merge request"
 msgstr ""
 
 msgid "ProjectSettings|Users can only push commits to this repository that were committed with one of their own verified emails."
 msgstr ""
 
+msgid "ProjectSettings|View and edit files in this project"
+msgstr ""
+
 msgid "ProjectSettings|When conflicts arise the user is given the option to rebase"
 msgstr ""
 
+msgid "ProjectSettings|Wiki"
+msgstr ""
+
+msgid "ProjectSettings|With GitLab Pages you can host your static websites on GitLab"
+msgstr ""
+
 msgid "ProjectTemplates|.NET Core"
 msgstr ""
 
@@ -16437,6 +16515,9 @@ msgstr ""
 msgid "The group and its projects can only be viewed by members."
 msgstr ""
 
+msgid "The group has already been shared with this group"
+msgstr ""
+
 msgid "The group settings for %{group_links} require you to enable Two-Factor Authentication for your account. You can %{leave_group_links}."
 msgstr ""
 
@@ -17031,9 +17112,6 @@ msgstr ""
 msgid "This setting can be overridden in each project."
 msgstr ""
 
-msgid "This setting will override user notification preferences for all project members."
-msgstr ""
-
 msgid "This setting will update the hostname that is used to generate private commit emails. %{learn_more}"
 msgstr ""
 
@@ -18929,9 +19007,6 @@ msgstr ""
 msgid "Will deploy to"
 msgstr ""
 
-msgid "With GitLab Pages you can host your static websites on GitLab"
-msgstr ""
-
 msgid "With contribution analytics you can have an overview for the activity of issues, merge requests and push events of your organization and its members."
 msgstr ""
 

scripts/review_apps/review-apps.sh

@@ -195,9 +195,22 @@ function download_chart() {
   helm dependency build .
 }
 
+function base_config_changed() {
+  git fetch origin master --depth=50
+
+  [ -n "$(git diff origin/master... --name-only -- scripts/review_apps/base-config.yaml)" ]
+}
+
 function deploy() {
   local name="$CI_ENVIRONMENT_SLUG"
   local edition="${GITLAB_EDITION-ce}"
+  local base_config_file_ref="master"
+  echo "REVIEW_APP_CONFIG_CHANGED: ${REVIEW_APP_CONFIG_CHANGED}"
+  if [ -n "${REVIEW_APP_CONFIG_CHANGED}" ]; then
+    base_config_file_ref="$CI_COMMIT_SHA"
+  fi
+  local base_config_file="https://gitlab.com/gitlab-org/gitlab/raw/${base_config_file_ref}/scripts/review_apps/base-config.yaml"
+
   echoinfo "Deploying ${name}..." true
 
   IMAGE_REPOSITORY="registry.gitlab.com/gitlab-org/build/cng-mirror"
@@ -240,11 +253,11 @@ EOF
 )
 
 HELM_CMD=$(cat << EOF
-  $HELM_CMD \
+  ${HELM_CMD} \
   --namespace="$KUBE_NAMESPACE" \
-  --version="$CI_PIPELINE_ID-$CI_JOB_ID" \
-  -f "../scripts/review_apps/base-config.yaml" \
-  "$name" .
+  --version="${CI_PIPELINE_ID}-${CI_JOB_ID}" \
+  -f "${base_config_file}" \
+  "${name}" .
 EOF
 )
 

spec/controllers/groups/group_links_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Groups::GroupLinksController do
+  let(:shared_with_group) { create(:group, :private) }
+  let(:shared_group) { create(:group, :private) }
+  let(:user) { create(:user) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe '#create' do
+    let(:shared_with_group_id) { shared_with_group.id }
+
+    subject do
+      post(:create,
+           params: { group_id: shared_group,
+                     shared_with_group_id: shared_with_group_id,
+                     shared_group_access: GroupGroupLink.default_access })
+    end
+
+    context 'when user has correct access to both groups' do
+      let(:group_member) { create(:user) }
+
+      before do
+        shared_with_group.add_developer(user)
+        shared_group.add_owner(user)
+
+        shared_with_group.add_developer(group_member)
+      end
+
+      it 'links group with selected group' do
+        expect { subject }.to change { shared_with_group.shared_groups.include?(shared_group) }.from(false).to(true)
+      end
+
+      it 'redirects to group links page' do
+        subject
+
+        expect(response).to(redirect_to(group_group_members_path(shared_group)))
+      end
+
+      it 'allows access for group member' do
+        expect { subject }.to change { group_member.can?(:read_group, shared_group) }.from(false).to(true)
+      end
+
+      context 'when shared with group id is not present' do
+        let(:shared_with_group_id) { nil }
+
+        it 'redirects to group links page' do
+          subject
+
+          expect(response).to(redirect_to(group_group_members_path(shared_group)))
+          expect(flash[:alert]).to eq('Please select a group.')
+        end
+      end
+
+      context 'when link is not persisted in the database' do
+        before do
+          allow(::Groups::GroupLinks::CreateService).to(
+            receive_message_chain(:new, :execute)
+              .and_return({ status: :error,
+                            http_status: 409,
+                            message: 'error' }))
+        end
+
+        it 'redirects to group links page' do
+          subject
+
+          expect(response).to(redirect_to(group_group_members_path(shared_group)))
+          expect(flash[:alert]).to eq('error')
+        end
+      end
+
+      context 'when feature flag is disabled' do
+        before do
+          stub_feature_flags(share_group_with_group: false)
+        end
+
+        it 'renders 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
+
+    context 'when user does not have access to the group' do
+      before do
+        shared_group.add_owner(user)
+      end
+
+      it 'renders 404' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user does not have admin access to the shared group' do
+      before do
+        shared_with_group.add_developer(user)
+        shared_group.add_developer(user)
+      end
+
+      it 'renders 404' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+end

spec/factories/group_group_links.rb

+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :group_group_link do
+    shared_group { create(:group) }
+    shared_with_group { create(:group) }
+    group_access { GroupMember::DEVELOPER }
+  end
+end

spec/frontend/monitoring/components/charts/anomaly_spec.js

+import Anomaly from '~/monitoring/components/charts/anomaly.vue';
+
+import { shallowMount } from '@vue/test-utils';
+import { colorValues } from '~/monitoring/constants';
+import {
+  anomalyDeploymentData,
+  mockProjectDir,
+  anomalyMockGraphData,
+  anomalyMockResultValues,
+} from '../../mock_data';
+import { TEST_HOST } from 'helpers/test_constants';
+import MonitorTimeSeriesChart from '~/monitoring/components/charts/time_series.vue';
+
+const mockWidgets = 'mockWidgets';
+const mockProjectPath = `${TEST_HOST}${mockProjectDir}`;
+
+jest.mock('~/lib/utils/icon_utils'); // mock getSvgIconPathContent
+
+const makeAnomalyGraphData = (datasetName, template = anomalyMockGraphData) => {
+  const queries = anomalyMockResultValues[datasetName].map((values, index) => ({
+    ...template.queries[index],
+    result: [
+      {
+        metrics: {},
+        values,
+      },
+    ],
+  }));
+  return { ...template, queries };
+};
+
+describe('Anomaly chart component', () => {
+  let wrapper;
+
+  const setupAnomalyChart = props => {
+    wrapper = shallowMount(Anomaly, {
+      propsData: { ...props },
+      slots: {
+        default: mockWidgets,
+      },
+      sync: false,
+    });
+  };
+  const findTimeSeries = () => wrapper.find(MonitorTimeSeriesChart);
+  const getTimeSeriesProps = () => findTimeSeries().props();
+
+  describe('wrapped monitor-time-series-chart component', () => {
+    const dataSetName = 'noAnomaly';
+    const dataSet = anomalyMockResultValues[dataSetName];
+    const inputThresholds = ['some threshold'];
+
+    beforeEach(() => {
+      setupAnomalyChart({
+        graphData: makeAnomalyGraphData(dataSetName),
+        deploymentData: anomalyDeploymentData,
+        thresholds: inputThresholds,
+        projectPath: mockProjectPath,
+      });
+    });
+
+    it('is a Vue instance', () => {
+      expect(findTimeSeries().exists()).toBe(true);
+      expect(findTimeSeries().isVueInstance()).toBe(true);
+    });
+
+    describe('receives props correctly', () => {
+      describe('graph-data', () => {
+        it('receives a single "metric" series', () => {
+          const { graphData } = getTimeSeriesProps();
+          expect(graphData.queries.length).toBe(1);
+        });
+
+        it('receives "metric" with all data', () => {
+          const { graphData } = getTimeSeriesProps();
+          const query = graphData.queries[0];
+          const expectedQuery = makeAnomalyGraphData(dataSetName).queries[0];
+          expect(query).toEqual(expectedQuery);
+        });
+
+        it('receives the "metric" results', () => {
+          const { graphData } = getTimeSeriesProps();
+          const { result } = graphData.queries[0];
+          const { values } = result[0];
+          const [metricDataset] = dataSet;
+          expect(values).toEqual(expect.any(Array));
+
+          values.forEach(([, y], index) => {
+            expect(y).toBeCloseTo(metricDataset[index][1]);
+          });
+        });
+      });
+
+      describe('option', () => {
+        let option;
+        let series;
+
+        beforeEach(() => {
+          ({ option } = getTimeSeriesProps());
+          ({ series } = option);
+        });
+
+        it('contains a boundary band', () => {
+          expect(series).toEqual(expect.any(Array));
+          expect(series.length).toEqual(2); // 1 upper + 1 lower boundaries
+          expect(series[0].stack).toEqual(series[1].stack);
+
+          series.forEach(s => {
+            expect(s.type).toBe('line');
+            expect(s.lineStyle.width).toBe(0);
+            expect(s.lineStyle.color).toMatch(/rgba\(.+\)/);
+            expect(s.lineStyle.color).toMatch(s.color);
+            expect(s.symbol).toEqual('none');
+          });
+        });
+
+        it('upper boundary values are stacked on top of lower boundary', () => {
+          const [lowerSeries, upperSeries] = series;
+          const [, upperDataset, lowerDataset] = dataSet;
+
+          lowerSeries.data.forEach(([, y], i) => {
+            expect(y).toBeCloseTo(lowerDataset[i][1]);
+          });
+
+          upperSeries.data.forEach(([, y], i) => {
+            expect(y).toBeCloseTo(upperDataset[i][1] - lowerDataset[i][1]);
+          });
+        });
+      });
+
+      describe('series-config', () => {
+        let seriesConfig;
+
+        beforeEach(() => {
+          ({ seriesConfig } = getTimeSeriesProps());
+        });
+
+        it('display symbols is enabled', () => {
+          expect(seriesConfig).toEqual(
+            expect.objectContaining({
+              type: 'line',
+              symbol: 'circle',
+              showSymbol: true,
+              symbolSize: expect.any(Function),
+              itemStyle: {
+                color: expect.any(Function),
+              },
+            }),
+          );
+        });
+        it('does not display anomalies', () => {
+          const { symbolSize, itemStyle } = seriesConfig;
+          const [metricDataset] = dataSet;
+
+          metricDataset.forEach((v, dataIndex) => {
+            const size = symbolSize(null, { dataIndex });
+            const color = itemStyle.color({ dataIndex });
+
+            // normal color and small size
+            expect(size).toBeCloseTo(0);
+            expect(color).toBe(colorValues.primaryColor);
+          });
+        });
+
+        it('can format y values (to use in tooltips)', () => {
+          expect(parseFloat(wrapper.vm.yValueFormatted(0, 0))).toEqual(dataSet[0][0][1]);
+          expect(parseFloat(wrapper.vm.yValueFormatted(1, 0))).toEqual(dataSet[1][0][1]);
+          expect(parseFloat(wrapper.vm.yValueFormatted(2, 0))).toEqual(dataSet[2][0][1]);
+        });
+      });
+
+      describe('inherited properties', () => {
+        it('"deployment-data" keeps the same value', () => {
+          const { deploymentData } = getTimeSeriesProps();
+          expect(deploymentData).toEqual(anomalyDeploymentData);
+        });
+        it('"thresholds" keeps the same value', () => {
+          const { thresholds } = getTimeSeriesProps();
+          expect(thresholds).toEqual(inputThresholds);
+        });
+        it('"projectPath" keeps the same value', () => {
+          const { projectPath } = getTimeSeriesProps();
+          expect(projectPath).toEqual(mockProjectPath);
+        });
+      });
+    });
+  });
+
+  describe('with no boundary data', () => {
+    const dataSetName = 'noBoundary';
+    const dataSet = anomalyMockResultValues[dataSetName];
+
+    beforeEach(() => {
+      setupAnomalyChart({
+        graphData: makeAnomalyGraphData(dataSetName),
+        deploymentData: anomalyDeploymentData,
+      });
+    });
+
+    describe('option', () => {
+      let option;
+      let series;
+
+      beforeEach(() => {
+        ({ option } = getTimeSeriesProps());
+        ({ series } = option);
+      });
+
+      it('does not display a boundary band', () => {
+        expect(series).toEqual(expect.any(Array));
+        expect(series.length).toEqual(0); // no boundaries
+      });
+
+      it('can format y values (to use in tooltips)', () => {
+        expect(parseFloat(wrapper.vm.yValueFormatted(0, 0))).toEqual(dataSet[0][0][1]);
+        expect(wrapper.vm.yValueFormatted(1, 0)).toBe(''); // missing boundary
+        expect(wrapper.vm.yValueFormatted(2, 0)).toBe(''); // missing boundary
+      });
+    });
+  });
+
+  describe('with one anomaly', () => {
+    const dataSetName = 'oneAnomaly';
+    const dataSet = anomalyMockResultValues[dataSetName];
+
+    beforeEach(() => {
+      setupAnomalyChart({
+        graphData: makeAnomalyGraphData(dataSetName),
+        deploymentData: anomalyDeploymentData,
+      });
+    });
+
+    describe('series-config', () => {
+      it('displays one anomaly', () => {
+        const { seriesConfig } = getTimeSeriesProps();
+        const { symbolSize, itemStyle } = seriesConfig;
+        const [metricDataset] = dataSet;
+
+        const bigDots = metricDataset.filter((v, dataIndex) => {
+          const size = symbolSize(null, { dataIndex });
+          return size > 0.1;
+        });
+        const redDots = metricDataset.filter((v, dataIndex) => {
+          const color = itemStyle.color({ dataIndex });
+          return color === colorValues.anomalySymbol;
+        });
+
+        expect(bigDots.length).toBe(1);
+        expect(redDots.length).toBe(1);
+      });
+    });
+  });
+
+  describe('with offset', () => {
+    const dataSetName = 'negativeBoundary';
+    const dataSet = anomalyMockResultValues[dataSetName];
+    const expectedOffset = 4; // Lowst point in mock data is -3.70, it gets rounded
+
+    beforeEach(() => {
+      setupAnomalyChart({
+        graphData: makeAnomalyGraphData(dataSetName),
+        deploymentData: anomalyDeploymentData,
+      });
+    });
+
+    describe('receives props correctly', () => {
+      describe('graph-data', () => {
+        it('receives a single "metric" series', () => {
+          const { graphData } = getTimeSeriesProps();
+          expect(graphData.queries.length).toBe(1);
+        });
+
+        it('receives "metric" results and applies the offset to them', () => {
+          const { graphData } = getTimeSeriesProps();
+          const { result } = graphData.queries[0];
+          const { values } = result[0];
+          const [metricDataset] = dataSet;
+          expect(values).toEqual(expect.any(Array));
+
+          values.forEach(([, y], index) => {
+            expect(y).toBeCloseTo(metricDataset[index][1] + expectedOffset);
+          });
+        });
+      });
+    });
+
+    describe('option', () => {
+      it('upper boundary values are stacked on top of lower boundary, plus the offset', () => {
+        const { option } = getTimeSeriesProps();
+        const { series } = option;
+        const [lowerSeries, upperSeries] = series;
+        const [, upperDataset, lowerDataset] = dataSet;
+
+        lowerSeries.data.forEach(([, y], i) => {
+          expect(y).toBeCloseTo(lowerDataset[i][1] + expectedOffset);
+        });
+
+        upperSeries.data.forEach(([, y], i) => {
+          expect(y).toBeCloseTo(upperDataset[i][1] - lowerDataset[i][1]);
+        });
+      });
+    });
+  });
+});

spec/frontend/monitoring/mock_data.js

+export const mockProjectDir = '/frontend-fixtures/environments-project';
+
+export const anomalyDeploymentData = [
+  {
+    id: 111,
+    iid: 3,
+    sha: 'f5bcd1d9dac6fa4137e2510b9ccd134ef2e84187',
+    ref: {
+      name: 'master',
+    },
+    created_at: '2019-08-19T22:00:00.000Z',
+    deployed_at: '2019-08-19T22:01:00.000Z',
+    tag: false,
+    'last?': true,
+  },
+  {
+    id: 110,
+    iid: 2,
+    sha: 'f5bcd1d9dac6fa4137e2510b9ccd134ef2e84187',
+    ref: {
+      name: 'master',
+    },
+    created_at: '2019-08-19T23:00:00.000Z',
+    deployed_at: '2019-08-19T23:00:00.000Z',
+    tag: false,
+    'last?': false,
+  },
+];
+
+export const anomalyMockResultValues = {
+  noAnomaly: [
+    [
+      ['2019-08-19T19:00:00.000Z', 1.25],
+      ['2019-08-19T20:00:00.000Z', 1.45],
+      ['2019-08-19T21:00:00.000Z', 1.55],
+      ['2019-08-19T22:00:00.000Z', 1.48],
+    ],
+    [
+      // upper boundary
+      ['2019-08-19T19:00:00.000Z', 2],
+      ['2019-08-19T20:00:00.000Z', 2.55],
+      ['2019-08-19T21:00:00.000Z', 2.65],
+      ['2019-08-19T22:00:00.000Z', 3.0],
+    ],
+    [
+      // lower boundary
+      ['2019-08-19T19:00:00.000Z', 0.45],
+      ['2019-08-19T20:00:00.000Z', 0.65],
+      ['2019-08-19T21:00:00.000Z', 0.7],
+      ['2019-08-19T22:00:00.000Z', 0.8],
+    ],
+  ],
+  noBoundary: [
+    [
+      ['2019-08-19T19:00:00.000Z', 1.25],
+      ['2019-08-19T20:00:00.000Z', 1.45],
+      ['2019-08-19T21:00:00.000Z', 1.55],
+      ['2019-08-19T22:00:00.000Z', 1.48],
+    ],
+    [
+      // empty upper boundary
+    ],
+    [
+      // empty lower boundary
+    ],
+  ],
+  oneAnomaly: [
+    [
+      ['2019-08-19T19:00:00.000Z', 1.25],
+      ['2019-08-19T20:00:00.000Z', 3.45], // anomaly
+      ['2019-08-19T21:00:00.000Z', 1.55],
+    ],
+    [
+      // upper boundary
+      ['2019-08-19T19:00:00.000Z', 2],
+      ['2019-08-19T20:00:00.000Z', 2.55],
+      ['2019-08-19T21:00:00.000Z', 2.65],
+    ],
+    [
+      // lower boundary
+      ['2019-08-19T19:00:00.000Z', 0.45],
+      ['2019-08-19T20:00:00.000Z', 0.65],
+      ['2019-08-19T21:00:00.000Z', 0.7],
+    ],
+  ],
+  negativeBoundary: [
+    [
+      ['2019-08-19T19:00:00.000Z', 1.25],
+      ['2019-08-19T20:00:00.000Z', 3.45], // anomaly
+      ['2019-08-19T21:00:00.000Z', 1.55],
+    ],
+    [
+      // upper boundary
+      ['2019-08-19T19:00:00.000Z', 2],
+      ['2019-08-19T20:00:00.000Z', 2.55],
+      ['2019-08-19T21:00:00.000Z', 2.65],
+    ],
+    [
+      // lower boundary
+      ['2019-08-19T19:00:00.000Z', -1.25],
+      ['2019-08-19T20:00:00.000Z', -2.65],
+      ['2019-08-19T21:00:00.000Z', -3.7], // lowest point
+    ],
+  ],
+};
+
+export const anomalyMockGraphData = {
+  title: 'Requests Per Second Mock Data',
+  type: 'anomaly-chart',
+  weight: 3,
+  metrics: [
+    // Not used
+  ],
+  queries: [
+    {
+      metricId: '90',
+      id: 'metric',
+      query_range: 'MOCK_PROMETHEUS_METRIC_QUERY_RANGE',
+      unit: 'RPS',
+      label: 'Metrics RPS',
+      metric_id: 90,
+      prometheus_endpoint_path: 'MOCK_METRIC_PEP',
+      result: [
+        {
+          metric: {},
+          values: [['2019-08-19T19:00:00.000Z', 0]],
+        },
+      ],
+    },
+    {
+      metricId: '91',
+      id: 'upper',
+      query_range: '...',
+      unit: 'RPS',
+      label: 'Upper Limit Metrics RPS',
+      metric_id: 91,
+      prometheus_endpoint_path: 'MOCK_UPPER_PEP',
+      result: [
+        {
+          metric: {},
+          values: [['2019-08-19T19:00:00.000Z', 0]],
+        },
+      ],
+    },
+    {
+      metricId: '92',
+      id: 'lower',
+      query_range: '...',
+      unit: 'RPS',
+      label: 'Lower Limit Metrics RPS',
+      metric_id: 92,
+      prometheus_endpoint_path: 'MOCK_LOWER_PEP',
+      result: [
+        {
+          metric: {},
+          values: [['2019-08-19T19:00:00.000Z', 0]],
+        },
+      ],
+    },
+  ],
+};

spec/frontend/repository/components/table/row_spec.js

@@ -104,7 +104,7 @@ describe('Repository table row component', () => {
     if (pushes) {
       expect(visitUrl).not.toHaveBeenCalled();
     } else {
-      expect(visitUrl).toHaveBeenCalledWith('https://test.com');
+      expect(visitUrl).toHaveBeenCalledWith('https://test.com', undefined);
     }
   });