Add latest changes from gitlab-org/gitlab@13-11-stable-ee

.gitlab-ci.yml

@@ -17,7 +17,7 @@ stages:
 # in cases where jobs require Docker-in-Docker, the job
 # definition must be extended with `.use-docker-in-docker`
 default:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.29-lfs-2.9-chrome-87-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
   tags:
     - gitlab-org
   # All jobs are interruptible by default
@@ -38,7 +38,7 @@ workflow:
       when: never
     # For merge requests, create a pipeline.
     - if: '$CI_MERGE_REQUEST_IID'
-    # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
+    # For `$CI_DEFAULT_BRANCH` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
     - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
     # For tags, create a pipeline.
     - if: '$CI_COMMIT_TAG'
@@ -53,6 +53,8 @@ workflow:
 variables:
   RAILS_ENV: "test"
   NODE_ENV: "test"
+  # we override the max_old_space_size to prevent OOM errors
+  NODE_OPTIONS: --max_old_space_size=3584
   SIMPLECOV: "true"
   GIT_DEPTH: "20"
   GIT_SUBMODULE_STRATEGY: "none"
@@ -100,6 +102,7 @@ include:
   - local: .gitlab/ci/qa.gitlab-ci.yml
   - local: .gitlab/ci/reports.gitlab-ci.yml
   - local: .gitlab/ci/rails.gitlab-ci.yml
+  - local: .gitlab/ci/vendored-gems.gitlab-ci.yml
   - local: .gitlab/ci/review.gitlab-ci.yml
   - local: .gitlab/ci/rules.gitlab-ci.yml
   - local: .gitlab/ci/setup.gitlab-ci.yml
@@ -111,4 +114,7 @@ include:
   - local: .gitlab/ci/dast.gitlab-ci.yml
   - local: .gitlab/ci/workhorse.gitlab-ci.yml
   - local: .gitlab/ci/graphql.gitlab-ci.yml
-  - remote: 'https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/-/raw/main/.gitlab-ci-template.yml'
+  # switch the remote include to a local include until this is resolved:
+  #   https://gitlab.com/gitlab-org/gitlab/-/issues/327299
+  # - remote: 'https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/-/raw/main/.gitlab-ci-template.yml'
+  - local: .gitlab/ci/untamper-my-lockfile.yml

.gitlab/CODEOWNERS

@@ -135,7 +135,7 @@
 /doc/api/invitations.md @aqualls
 /doc/api/experiments.md @aqualls 
 /doc/development/experiment_guide/ @aqualls
-/doc/development/snowplow.md @aqualls
+/doc/development/snowplow/ @aqualls
 /doc/development/usage_ping/ @aqualls
 /doc/user/admin_area/license.md @aqualls
 
@@ -193,7 +193,7 @@ Dangerfile @gl-quality/eng-prod
 /lib/gitlab/auth/ldap/ @dblessing @mkozono
 
 [Templates]
-/lib/gitlab/ci/templates/ @nolith @shinya.maeda
+/lib/gitlab/ci/templates/ @nolith @shinya.maeda @matteeyah
 /lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @DylanGriffith @mayra-cabrera @tkuah
 /lib/gitlab/ci/templates/Security/ @plafoucriere @gonzoyumo @twoodham @sethgitlab
 
@@ -277,6 +277,7 @@ Dangerfile @gl-quality/eng-prod
 /lib/gitlab/experimentation/ @gitlab-org/growth/experiment-devs
 /lib/gitlab/experimentation.rb @gitlab-org/growth/experiment-devs
 /lib/gitlab/experimentation_logger.rb @gitlab-org/growth/experiment-devs
+/ee/spec/requests/api/experiments_spec.rb @gitlab-org/growth/experiment-devs
 
 [Legal]
 /config/dependency_decisions.yml @gitlab-org/legal-reviewers

.gitlab/changelog_config.yml

+---
+# Settings for generating changelogs using the GitLab API. See
+# https://docs.gitlab.com/ee/api/repositories.html#generate-changelog-data for
+# more information.
+categories:
+  added: Added
+  fixed: Fixed
+  changed: Changed
+  deprecated: Deprecated
+  removed: Removed
+  security: Security
+  performance: Performance
+  other: Other
+template: |
+  {% if categories %}
+  {% each categories %}
+  ### {{ title }} ({% if single_change %}1 change{% else %}{{ count }} changes{% end %})
+
+  {% each entries %}
+  - [{{ title }}]({{ commit.reference }})\
+  {% if author.contributor %} by {{ author.reference }}{% end %}\
+  {% if commit.trailers.MR %}\
+   ([merge request]({{ commit.trailers.MR }}))\
+  {% else %}\
+  {% if merge_request %}\
+   ([merge request]({{ merge_request.reference }}))\
+  {% end %}\
+  {% end %}\
+  {% if commit.trailers.EE %}\
+   **GitLab Enterprise Edition**\
+  {% end %}
+
+  {% end %}
+
+  {% end %}
+  {% else %}
+  No changes.
+  {% end %}

.gitlab/ci/build-images.gitlab-ci.yml

-# This image is used by the `review-qa-*` jobs. Not currently used by the `omnibus-gitlab` pipelines which rebuild this
-# image, e.g. https://gitlab.com/gitlab-org/build/omnibus-gitlab-mirror/-/jobs/587107399, which we could probably avoid.
-# See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5429.
+# This image is used by the `review-qa-*` jobs. The image name is also passed to the downstream `omnibus-gitlab-mirror` pipeline
+# triggered by `package-and-qa` so that it doesn't have to rebuild it a second time. The downstream `omnibus-gitlab-mirror` pipeline
+# itself passes the image name to the `gitlab-qa-mirror` pipeline so that it can use it instead of inferring an end-to-end image
+# from the GitLab image built by the downstream `omnibus-gitlab-mirror` pipeline.
+# See https://docs.gitlab.com/ee/development/testing_guide/end_to_end/index.html#testing-code-in-merge-requests for more details.
 build-qa-image:
   extends:
     - .use-kaniko

.gitlab/ci/cache-repo.gitlab-ci.yml

-# Builds a cached .tar.gz of the master branch with full history and
+# Builds a cached .tar.gz of the $CI_DEFAULT_BRANCH branch with full history and
 # uploads it to Google Cloud Storage. This archive is downloaded by a
 # script defined by a CI/CD variable named CI_PRE_CLONE_SCRIPT. This has
 # two benefits:
@@ -41,6 +41,7 @@ cache-repo:
         cd $CI_PROJECT_NAME;
         time git repack -d;
         echo "Archiving $CI_PROJECT_NAME into /tmp/$SHALLOW_CLONE_TAR_FILENAME.";
+        time git remote rm origin;
         time tar cf /tmp/$SHALLOW_CLONE_TAR_FILENAME .;
         echo "GZipping /tmp/$SHALLOW_CLONE_TAR_FILENAME.";
         time gzip /tmp/$SHALLOW_CLONE_TAR_FILENAME;
@@ -52,7 +53,9 @@ cache-repo:
         echo "Cloning $CI_REPOSITORY_URL into $CI_PROJECT_NAME.";
         time git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME;
         cd $CI_PROJECT_NAME;
+        time git repack -d;
         echo "Archiving $CI_PROJECT_NAME into /tmp/$FULL_CLONE_TAR_FILENAME.";
+        time git remote rm origin;
         time tar cf /tmp/$FULL_CLONE_TAR_FILENAME .;
         echo "GZipping /tmp/$FULL_CLONE_TAR_FILENAME.";
         time gzip /tmp/$FULL_CLONE_TAR_FILENAME;

.gitlab/ci/dast.gitlab-ci.yml

@@ -97,7 +97,7 @@ DAST-fullscan-ruleset5:
   variables:
     DAST_USERNAME: "user5"
   script:
-    - export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10010 | enable_rule 10011 | enable_rule 10015 | enable_rule 10017 | enable_rule 10019)
+    - export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10010 | enable_rule 10011 | enable_rule 10017 | enable_rule 10019)
     - echo $DAST_EXCLUDE_RULES
     - /analyze -t $DAST_WEBSITE -d
 

.gitlab/ci/docs.gitlab-ci.yml

@@ -10,17 +10,18 @@
     # because some repos are private and CI_JOB_TOKEN cannot access files.
     # See https://gitlab.com/gitlab-org/gitlab/issues/191273
     GIT_DEPTH: 1
+    # By default, deploy the Review App using the `master` branch of the `gitlab-org/gitlab-docs` project
+    DOCS_BRANCH: master
   environment:
-    name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
+    name: review-docs/mr-${CI_MERGE_REQUEST_IID}
     # DOCS_REVIEW_APPS_DOMAIN and DOCS_GITLAB_REPO_SUFFIX are CI variables
     # Discussion: https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/14236/diffs#note_40140693
     auto_stop_in: 2 weeks
-    url: http://docs-preview-$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID.$DOCS_REVIEW_APPS_DOMAIN/$DOCS_GITLAB_REPO_SUFFIX
+    url: http://${DOCS_BRANCH}-${DOCS_GITLAB_REPO_SUFFIX}-${CI_MERGE_REQUEST_IID}.${DOCS_REVIEW_APPS_DOMAIN}/${DOCS_GITLAB_REPO_SUFFIX}
     on_stop: review-docs-cleanup
   before_script:
-    - apk add --update openssl
-    - gem install httparty --no-document --version 0.17.3
-    - gem install gitlab --no-document --version 4.13.0
+    - source ./scripts/utils.sh
+    - install_gitlab_gem
 
 # Always trigger a docs build in gitlab-docs only on docs-only branches.
 # Useful to preview the docs changes live.
@@ -33,7 +34,7 @@ review-docs-deploy:
 review-docs-cleanup:
   extends: .review-docs
   environment:
-    name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
+    name: review-docs/mr-${CI_MERGE_REQUEST_IID}
     action: stop
   script:
     - ./scripts/trigger-build docs cleanup
@@ -64,10 +65,8 @@ docs-lint links:
     - cd /tmp/gitlab-docs
     # Build HTML from Markdown
     - bundle exec nanoc
-    # Check the internal links
-    - bundle exec nanoc check internal_links
-    # Check the internal anchor links
-    - bundle exec nanoc check internal_anchors
+    # Check the internal links and anchors (in parallel)
+    - "parallel time bundle exec nanoc check ::: internal_links internal_anchors"
 
 ui-docs-links lint:
   extends:

.gitlab/ci/frontend.gitlab-ci.yml

-.frontend-base:
-  extends:
-    - .default-retry
-    - .default-before_script
-  variables:
-    SETUP_DB: "false"
-    # we override the max_old_space_size to prevent OOM errors
-    NODE_OPTIONS: --max_old_space_size=3584
-
 .yarn-install: &yarn-install
   - source scripts/utils.sh
   - run_timed_command "retry yarn install --frozen-lockfile"
 
 .compile-assets-base:
   extends:
-    - .frontend-base
+    - .default-retry
+    - .default-before_script
     - .assets-compile-cache
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-git-2.29-lfs-2.9-node-14.15-yarn-1.22-graphicsmagick-1.3.34
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-git-2.31-lfs-2.9-node-14.15-yarn-1.22-graphicsmagick-1.3.36
   variables:
+    SETUP_DB: "false"
     WEBPACK_VENDOR_DLL: "true"
   stage: prepare
   script:
@@ -93,13 +86,13 @@ update-yarn-cache:
 
 .frontend-fixtures-base:
   extends:
-    - .frontend-base
+    - .default-retry
+    - .default-before_script
     - .rails-cache
     - .use-pg11
   stage: fixtures
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets"]
   variables:
-    SETUP_DB: "true"
     WEBPACK_VENDOR_DLL: "true"
   script:
     - run_timed_command "gem install knapsack --no-document"
@@ -151,10 +144,8 @@ graphql-schema-dump:
 
 .frontend-test-base:
   extends:
-    - .frontend-base
+    - .default-retry
     - .yarn-cache
-  variables:
-    USE_BUNDLE_INSTALL: "false"
   stage: test
 
 eslint-as-if-foss:
@@ -246,7 +237,7 @@ coverage-frontend:
   extends:
     - .default-retry
     - .yarn-cache
-    - .frontend:rules:ee-mr-and-master-only
+    - .frontend:rules:ee-mr-and-default-branch-only
   needs: ["jest"]
   stage: post-test
   before_script:

.gitlab/ci/global.gitlab-ci.yml

@@ -27,7 +27,7 @@
 
 .rails-cache:
   cache:
-    key: "rails-v4"
+    key: "rails-v5"
     paths:
       - vendor/ruby/
       - vendor/gitaly-ruby/
@@ -87,7 +87,7 @@
     policy: pull
 
 .use-pg11:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.29-lfs-2.9-chrome-87-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -96,7 +96,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.29-lfs-2.9-chrome-87-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -105,7 +105,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg11-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.29-lfs-2.9-chrome-87-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -116,7 +116,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.29-lfs-2.9-chrome-87-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]

.gitlab/ci/memory.gitlab-ci.yml

@@ -44,8 +44,6 @@ memory-on-boot:
     NODE_ENV: "production"
     RAILS_ENV: "production"
     SETUP_DB: "true"
-    # we override the max_old_space_size to prevent OOM errors
-    NODE_OPTIONS: --max_old_space_size=3584
   script:
     - PATH_TO_HIT="/users/sign_in" CUT_OFF=0.3 bundle exec derailed exec perf:mem >> 'tmp/memory_on_boot.txt'
     - scripts/generate-memory-metrics-on-boot tmp/memory_on_boot.txt >> 'tmp/memory_on_boot_metrics.txt'

.gitlab/ci/rails.gitlab-ci.yml

@@ -142,7 +142,7 @@
 ############################
 
 #######################################################
-# EE/FOSS: default refs (MRs, master, schedules) jobs #
+# EE/FOSS: default refs (MRs, default branch, schedules) jobs #
 setup-test-env:
   extends:
     - .rails-job-base
@@ -183,6 +183,7 @@ setup-test-env:
       - tmp/tests/gitlab-workhorse/gitlab-workhorse
       - tmp/tests/gitlab-workhorse/gitlab-resize-image
       - tmp/tests/gitlab-workhorse/config.toml
+      - tmp/tests/gitlab-workhorse/WORKHORSE_TREE
       - tmp/tests/repositories/
       - tmp/tests/second_storage/
     when: always
@@ -256,17 +257,6 @@ static-analysis:
     - run_timed_command "retry yarn install --frozen-lockfile"
     - scripts/static-analysis
 
-downtime_check:
-  extends:
-    - .rails-job-base
-    - .rails:rules:downtime_check
-  needs: []
-  stage: test
-  variables:
-    SETUP_DB: "false"
-  script:
-    - bundle exec rake downtime_check
-
 rspec migration pg11:
   extends:
     - .rspec-base-pg11
@@ -346,7 +336,7 @@ db:migrate:reset:
 db:check-schema:
   extends:
     - .db-job-base
-    - .rails:rules:ee-mr-and-master-only
+    - .rails:rules:ee-mr-and-default-branch-only
   script:
     - source scripts/schema_changed.sh
 
@@ -358,32 +348,31 @@ db:check-migrations:
     - scripts/validate_migration_schema
   allow_failure: true
 
-db:migrate-from-v12.10.0:
+db:migrate-from-previous-major-version:
   extends: .db-job-base
   variables:
+    USE_BUNDLE_INSTALL: "false"
     SETUP_DB: "false"
+    PROJECT_TO_CHECKOUT: "gitlab-foss"
+    TAG_TO_CHECKOUT: "v12.10.14"
   script:
-    - export PROJECT_TO_CHECKOUT="gitlab"
-    - export TAG_TO_CHECKOUT="v12.10.0-ee"
-    - '[[ -d "ee/" ]] || export PROJECT_TO_CHECKOUT="gitlab-foss"'
-    - '[[ -d "ee/" ]] || export TAG_TO_CHECKOUT="v12.10.0"'
+    - '[[ -d "ee/" ]] || export PROJECT_TO_CHECKOUT="gitlab"'
+    - '[[ -d "ee/" ]] || export TAG_TO_CHECKOUT="${TAG_TO_CHECKOUT}-ee"'
     - retry 'git fetch https://gitlab.com/gitlab-org/$PROJECT_TO_CHECKOUT.git $TAG_TO_CHECKOUT'
     - git checkout -f FETCH_HEAD
+    # Patch Gemfile of the previous major version for compatibility.
     - sed -i -e "s/gem 'grpc', '~> 1.24.0'/gem 'grpc', '~> 1.30.2'/" Gemfile  # Update gRPC for Ruby 2.7
-    - sed -i -e "s/gem 'google-protobuf', '~> 3.8.0'/gem 'google-protobuf', '~> 3.12.0'/" Gemfile
-    - gem install bundler:1.17.3
-    - bundle update google-protobuf grpc bootsnap
-    - bundle install $BUNDLE_INSTALL_FLAGS
-    - date
+    - sed -i -e "s/gem 'google-protobuf', '~> 3.8.0'/gem 'google-protobuf', '~> 3.12'/" Gemfile
+    - sed -i -e "s/gem 'nokogiri', '~> 1.10.5'/gem 'nokogiri', '~> 1.11.0'/" Gemfile
+    - sed -i -e "s/gem 'mimemagic', '~> 0.3.2'/gem 'ruby-magic', '~> 0.3.2'/" Gemfile
+    - run_timed_command "gem install bundler:1.17.3"
+    - run_timed_command "bundle update google-protobuf nokogiri grpc mimemagic bootsnap"
+    - run_timed_command "bundle install ${BUNDLE_INSTALL_FLAGS}"
     - cp config/gitlab.yml.example config/gitlab.yml
-    - bundle exec rake db:drop db:create db:structure:load db:seed_fu
-    - date
+    - run_timed_command "bundle exec rake db:drop db:create db:structure:load db:migrate db:seed_fu"
     - git checkout -f $CI_COMMIT_SHA
-    - bundle install $BUNDLE_INSTALL_FLAGS
-    - date
-    - . scripts/prepare_build.sh
-    - date
-    - bundle exec rake db:migrate
+    - run_timed_command "bundle install ${BUNDLE_INSTALL_FLAGS}"
+    - run_timed_command "bundle exec rake db:migrate"
 
 db:rollback:
   extends: .db-job-base
@@ -535,11 +524,11 @@ rspec:feature-flags:
         run_timed_command "bundle exec scripts/used-feature-flags";
       fi
 
-# EE/FOSS: default refs (MRs, master, schedules) jobs #
+# EE/FOSS: default refs (MRs, default branch, schedules) jobs #
 #######################################################
 
 ##################################################
-# EE: default refs (MRs, master, schedules) jobs #
+# EE: default refs (MRs, default branch, schedules) jobs #
 rspec migration pg11-as-if-foss:
   extends:
     - .rspec-base-pg11-as-if-foss
@@ -682,81 +671,81 @@ db:rollback geo:
   script:
     - bundle exec rake geo:db:migrate VERSION=20170627195211
     - bundle exec rake geo:db:migrate
-# EE: default refs (MRs, master, schedules) jobs #
+# EE: default refs (MRs, default branch, schedules) jobs #
 ##################################################
 
 ##########################################
-# EE/FOSS: master nightly scheduled jobs #
+# EE/FOSS: default branch nightly scheduled jobs #
 rspec migration pg12:
   extends:
     - .rspec-base-pg12
     - .rspec-base-migration
-    - .rails:rules:master-schedule-nightly--code-backstage
+    - .rails:rules:default-branch-schedule-nightly--code-backstage
     - .rspec-migration-parallel
 
 rspec unit pg12:
   extends:
     - .rspec-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage
+    - .rails:rules:default-branch-schedule-nightly--code-backstage
     - .rspec-unit-parallel
 
 rspec integration pg12:
   extends:
     - .rspec-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage
+    - .rails:rules:default-branch-schedule-nightly--code-backstage
     - .rspec-integration-parallel
 
 rspec system pg12:
   extends:
     - .rspec-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage
+    - .rails:rules:default-branch-schedule-nightly--code-backstage
     - .rspec-system-parallel
-# EE/FOSS: master nightly scheduled jobs #
+# EE/FOSS: default branch nightly scheduled jobs #
 ##########################################
 
 #####################################
-# EE: master nightly scheduled jobs #
+# EE: default branch nightly scheduled jobs #
 rspec-ee migration pg12:
   extends:
     - .rspec-ee-base-pg12
     - .rspec-base-migration
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
     - .rspec-ee-migration-parallel
 
 rspec-ee unit pg12:
   extends:
     - .rspec-ee-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
     - .rspec-ee-unit-parallel
 
 rspec-ee integration pg12:
   extends:
     - .rspec-ee-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
     - .rspec-ee-integration-parallel
 
 rspec-ee system pg12:
   extends:
     - .rspec-ee-base-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
     - .rspec-ee-system-parallel
 
 rspec-ee unit pg12 geo:
   extends:
     - .rspec-ee-base-geo-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
     - .rspec-ee-unit-geo-parallel
 
 rspec-ee integration pg12 geo:
   extends:
     - .rspec-ee-base-geo-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
 
 rspec-ee system pg12 geo:
   extends:
     - .rspec-ee-base-geo-pg12
-    - .rails:rules:master-schedule-nightly--code-backstage-ee-only
-# EE: master nightly scheduled jobs #
+    - .rails:rules:default-branch-schedule-nightly--code-backstage-ee-only
+# EE: default branch nightly scheduled jobs #
 #####################################
 
 ##################################################
@@ -799,7 +788,7 @@ fail-pipeline-early:
     GIT_DEPTH: 1
   before_script:
     - source scripts/utils.sh
-    - install_api_client_dependencies_with_apt
+    - install_gitlab_gem
   script:
     - fail_pipeline_early
 # EE: Canonical MR pipelines

.gitlab/ci/review.gitlab-ci.yml

@@ -29,7 +29,6 @@ review-build-cng:
   stage: review-prepare
   before_script:
     - source ./scripts/utils.sh
-    - install_api_client_dependencies_with_apk
     - install_gitlab_gem
   needs:
     - job: compile-production-assets
@@ -161,7 +160,7 @@ review-qa-smoke:
 review-qa-all:
   extends:
     - .review-qa-base
-    - .review:rules:mr-only-manual
+    - .review:rules:review-qa-all
   parallel: 5
   script:
     - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
@@ -198,7 +197,7 @@ review-performance:
 
 parallel-spec-reports:
   extends:
-    - .review:rules:mr-only-manual
+    - .review:rules:review-qa-all
   image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine
   stage: post-qa
   dependencies: ["review-qa-all"]
@@ -234,7 +233,15 @@ danger-review:
     - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --with danger"
     - run_timed_command "retry yarn install --frozen-lockfile"
   script:
-    - run_timed_command "bundle exec danger --fail-on-errors=true --verbose"
+    - >
+      if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
+        # Force danger to skip CI source GitLab and fallback to "local only git repo".
+        unset GITLAB_CI
+        # We need to base SHA to help danger determine the base commit for this shallow clone.
+        run_timed_command "bundle exec danger dry_run --fail-on-errors=true --verbose --base='$CI_MERGE_REQUEST_DIFF_BASE_SHA'"
+      else
+        run_timed_command "bundle exec danger --fail-on-errors=true --verbose"
+      fi
 
 update-danger-review-cache:
   extends:

.gitlab/ci/untamper-my-lockfile.yml

+untamper-my-lockfile:
+  image: registry.gitlab.com/gitlab-org/frontend/untamper-my-lockfile:main
+  stage: test
+  needs: []
+  before_script: []
+  after_script: []
+  cache: {}
+  retry: 1
+  script:
+    - untamper-my-lockfile --lockfile yarn.lock
+  rules:
+    # Create a pipeline if the branch is named 'add-untamper-my-lockfile' in
+    # order to have an integration check added in the MR that introduces it
+    - if: $CI_COMMIT_REF_NAME == "add-untamper-my-lockfile"
+    # Create a pipeline if there are changes in yarn.lock _and_ we are in a
+    # merge request _or_ branch pipeline.
+    #
+    # This ensures that the pipeline isn't run in scheduled jobs for example
+    #
+    # Also our best effort to support both branch and MR pipelines. In certain
+    # projects this might trigger _two_ pipelines. These projects can be fixed
+    # by adding proper workflow:rules
+    # https://docs.gitlab.com/ee/ci/yaml/#workflowrules
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH
+      changes:
+        - yarn.lock

.gitlab/ci/vendored-gems.gitlab-ci.yml

+vendor mail-smtp_pool:
+  extends:
+    - .vendor:rules:mail-smtp_pool
+  needs: []
+  trigger:
+    include: vendor/gems/mail-smtp_pool/.gitlab-ci.yml
+    strategy: depend

.gitlab/ci/workhorse.gitlab-ci.yml

 workhorse:verify:
   extends: .workhorse:rules:workhorse
-  image: ${GITLAB_DEPENDENCY_PROXY}golang:1.15
+  image: ${GITLAB_DEPENDENCY_PROXY}golang:1.16
   stage: test
   needs: []
   script:
@@ -23,14 +23,10 @@ workhorse:verify:
     - apt-get update && apt-get -y install libimage-exiftool-perl
     - make -C workhorse test
 
-workhorse:test using go 1.13:
-  extends: .workhorse:test
-  image: ${GITLAB_DEPENDENCY_PROXY}golang:1.13
-
-workhorse:test using go 1.14:
-  extends: .workhorse:test
-  image: ${GITLAB_DEPENDENCY_PROXY}golang:1.14
-
 workhorse:test using go 1.15:
   extends: .workhorse:test
   image: ${GITLAB_DEPENDENCY_PROXY}golang:1.15
+
+workhorse:test using go 1.16:
+  extends: .workhorse:test
+  image: ${GITLAB_DEPENDENCY_PROXY}golang:1.16

.gitlab/issue_templates/Experiment Successful Cleanup.md

@@ -15,5 +15,6 @@ The changes need to become an official part of the product.
 - [ ] Optional: Migrate experiment to a default enabled [feature flag](https://docs.gitlab.com/ee/development/feature_flags) for one milestone and add a changelog. Converting to a feature flag can be skipped at the ICs discretion if risk is deemed low with consideration to both SaaS and (if applicable) self managed
 - [ ] In the next milestone, [remove the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) if applicable
 - [ ] After the flag removal is deployed, [clean up the feature/experiment feature flags](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) by running chatops command in `#production` channel
+- [ ] Ensure the corresponding [Experiment Tracking](https://gitlab.com/groups/gitlab-org/-/boards/1352542?label_name[]=devops%3A%3Agrowth&label_name[]=growth%20experiment&label_name[]=experiment%20tracking) issue is updated
 
 /label ~"feature" ~"feature::maintenance" ~"workflow::scheduling" ~"growth experiment" ~"feature flag"  

.gitlab/issue_templates/Experimentation.md

@@ -18,7 +18,7 @@
 # Tracking Details
 
 - [json schema](https://gitlab.com/gitlab-org/iglu/-/blob/master/public/schemas/com.gitlab/gitlab_experiment/jsonschema/0-3-0) used in `gitlab-experiment` tracking.
-- see [taxonomy](https://docs.gitlab.com/ee/development/snowplow.html#structured-event-taxonomy) for a guide.
+- see [taxonomy](https://docs.gitlab.com/ee/development/snowplow/index.html#structured-event-taxonomy) for a guide.
 
 | activity | category | action | label | context | property | value |
 | -------- | -------- | ------ | ----- | ------- | -------- | ----- |

.gitlab/issue_templates/Feature Flag Roll Out.md

 <!-- Title suggestion: [Feature flag] Enable description of feature -->
 
-## What
+## Feature
 
-Remove the `:feature_name` feature flag ...
+This feature uses the `:feature_name` feature flag!
+
+<!-- Short description of what the feature is about and link to relevant other issues. -->
+- [Issue Name](ISSUE LINK)
 
 ## Owners
 
 - Team: NAME_OF_TEAM
 - Most appropriate slack channel to reach out to: `#g_TEAM_NAME`
 - Best individual to reach out to: NAME
+- PM: NAME
 
-## Expectations
+## Stakeholders
 
-### What are we expecting to happen?
-
-### What might happen if this goes wrong?
+<!--
+Are there any other stages or teams involved that need to be kept in the loop?
 
-### What can we monitor to detect problems with this?
+- Name of a PM
+- The Support Team
+- The Delivery Team
+-->
 
-<!-- Which dashboards from https://dashboards.gitlab.net are most relevant? Sentry errors reports can also be useful to review -->
+## The Rollout Plan
 
+- Partial Rollout on GitLab.com with beta groups
+- Rollout on GitLab.com for a certain period (How long)
+- Percentage Rollout on GitLab.com
+- Rollout Feature for everyone as soon as it's ready
 
-## Beta groups/projects
+<!-- Which dashboards from https://dashboards.gitlab.net are most relevant? Sentry errors reports can also be useful to review -->
 
-If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example.
+**Beta Groups/Projects:**
+<!-- If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example. -->
 
 - `gitlab-org/gitlab` project
 - `gitlab-org`/`gitlab-com` groups
 - ...
 
-## Roll Out Steps
 
+## Expectations
+
+### What are we expecting to happen?
+
+<!-- Describe the expected outcome when rolling out this feature -->
+
+### What might happen if this goes wrong?
+
+<!-- Should the feature flag be turned off? Any MRs that need to be rolled back? Communication that needs to happen? What are some things you can think of that could go wrong - data loss or broken pages? -->
+
+### What can we monitor to detect problems with this?
+
+<!-- Which dashboards from https://dashboards.gitlab.net are most relevant? -->
+
+## Rollout Timeline
+
+<!-- Please check which steps are needed and remove those which don't apply -->
+
+**Initial Rollout**
+
+*Preparation Phase*
 - [ ] Enable on staging (`/chatops run feature set feature_name true --staging`)
+
 - [ ] Test on staging
-- [ ] Ensure that documentation has been updated
-- [ ] Enable on GitLab.com for individual groups/projects listed above and verify behaviour  (`/chatops run feature set --project=gitlab-org/gitlab feature_name true`)
-- [ ] Coordinate a time to enable the flag with the SRE oncall and release managers
-  - In `#production` mention `@sre-oncall` and `@release-managers`. Once an SRE on call and Release Manager on call confirm, you can proceed with the rollout
+
+- [ ] Ensure that documentation has been updated ([More info](https://docs.gitlab.com/ee/development/documentation/feature_flags.html#features-that-became-enabled-by-default))
+
 - [ ] Announce on the issue an estimated time this will be enabled on GitLab.com
-- [ ] Enable on GitLab.com by running chatops command in `#production` (`/chatops run feature set feature_name true`)
-- [ ] Cross post chatops Slack command to `#support_gitlab-com` ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/ee/development/feature_flags/controls.html#where-to-run-commands)) and in your team channel
+
+*Partial Rollout Phase*
+- [ ] Enable on GitLab.com for individual groups/projects listed above and verify behaviour (`/chatops run feature set --project=gitlab-org/gitlab feature_name true`)
+
+- [ ] Verify behaviour (See Beta Groups) and add details with screenshots as a comment on this issue
+
+- [ ] If it is possible to perform an incremental rollout, this should be preferred. Proposed increments are: `10%`, `50%`, `100%`. Proposed minimum time between increments is 15 minutes.
+  - When setting percentages, make sure that the feature works correctly between feature checks. See https://gitlab.com/gitlab-org/gitlab/-/issues/327117 for more information
+  - For actor-based rollout: `/chatops run feature set feature_name 10 --actors`
+  - For time-based rollout: `/chatops run feature set feature_name 10`
+
+- [ ] Make the feature flag enabled by default i.e. Change `default_enabled` to `true`
+
+- [ ] Cross post chatops slack command to `#support_gitlab-com` ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/ee/development/feature_flags/controls.html#where-to-run-commands)) and in your team channel
+
+
+**Cleanup**
+
+This is an __important__ phase, that should be either done in the next Milestone or as soon as possible. For the cleanup phase, please follow our documentation on how to  [clean up the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up).
+
+<!-- The checklist here is to keep track of it's status for stakeholders -->
 - [ ] Announce on the issue that the flag has been enabled
-- [ ] Remove feature flag and add changelog entry. Ensure that the feature flag definition YAML file has been removed in the **same MR** that is removing the feature flag from the code
-- [ ] After the flag removal is deployed, [clean up the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) by running chatops command in `#production` channel
+
+- [ ] Remove `:feature_name` feature flag
+    - [ ] Remove all references to the feature flag from the codebase
+    - [ ] Remove the YAML definitions for the feature from the repository
+    - [ ] Create a Changelog Entry
+
+- [ ] Clean up the feature flag from all environments by running this chatops command in `#production` channel `/chatops run feature delete some_feature`.
+
+**Final Step**
+
+- [ ] Close this rollout issue for the feature flag after the feature flag is removed from the codebase.
 
 ## Rollback Steps
 
@@ -53,3 +112,4 @@ If applicable, any groups/projects that are happy to have this feature turned on
 ```
 
 /label ~"feature flag"
+/assign DRI

.gitlab/issue_templates/Feature proposal.md

@@ -113,3 +113,5 @@ Use the following resources to find the appropriate labels:
 /label ~devops:: ~group: ~Category:
 /label  ~"GitLab Core"/~"GitLab Premium"/~"GitLab Ultimate"
 /label ~feature
+/label ~documentation
+/label ~direction

.gitlab/issue_templates/Implementation.md

@@ -39,24 +39,25 @@ Add details for required items and delete others.
 <!--
 Steps and the parts of the code that will need to get updated. The plan can also
 call-out responsibilities for other team members or teams.
--->
+
+e.g.:
 
 - [ ] ~frontend Step 1
   - [ ] `@person` Step 1a
 - [ ] ~frontend Step 2
 
+-->
+
 
 <!--
 Workflow and other relevant labels
 
-~"group::" ~"Category:" ~"GitLab Ultimate"
--->
-/label ~"workflow::refinement"
-
-<!--
+# ~"group::" ~"Category:" ~"GitLab Ultimate"
 Other settings you might want to include when creating the issue.
 
-/milestone %"Next 1-3 releases"
-/assign @
-/epic &
+# /assign @
+# /epic &
 -->
+
+/label ~"workflow::refinement"
+/milestone %Backlog

.gitlab/issue_templates/Lean Feature Proposal.md

@@ -101,3 +101,6 @@ In which enterprise tier should this feature go? See https://about.gitlab.com/ha
 ### Is this a cross-stage feature?
 
 Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features -->
+
+/label ~documentation
+/label ~direction

.gitlab/issue_templates/Migrations.md

-# Project Name | Migration Tracker
-<!-- Please edit this header with your project / organization's name. -->
-
-## Background
-
-<!-- 
-Please add information here about why you're planning on migrating. Include any initial announcements that have been made about the decision or status.
--->
-
-### Goals
-
-<!-- What are some of the goals of your migration to GitLab? Delete this section if you don't want to enumerate goals. -->
-
-## Quick Facts
-
-<!-- Please complete as many items in this list as possible. If you're not sure yet, add "TBD" (To be Decided) or "Unknown" -->
-
- * **Timeline.** - 
- * **Product.** - GitLab Gold/Ultimate or Community Edition
- * **Project's License.** What kind of OSI-approved license does your project use? 
-
-## Current Tooling and Replacements
-
-<!-- 
-Please fill in the table to give an overview of your current tooling. Here's a description of what to include in each column:  
-
-- Tool: which tool or platform you are currently using
-- Feature: which particular feature you are using in that tool or platform
-- GitLab feature: equivalent GitLab feature (the GitLab team can help fill this in, as well as the info in the next column)
-- GitLab edition: in which GitLab edition (CE or EE) is this feature available? 
-
-Here's an example of a replacements overview from one of the projects which migrated to GitLab:  https://gitlab.com/gitlab-org/gitlab/-/issues/25657#gitlab-replacements
-
--->
-
-| Tool | Feature | GitLab feature | GitLab edition |
-| --- | --- | --- | --- |
-|  |  |  |  |
-
-## Collaborators
-
-<!-- Please add names of collaborators in the format: Name, Title, Role (what will you be helping to do, or how should you be involved), GitLab username -->
-
-## Related Issues
-
-<!-- Add any related issues that are important for your project by adding the title of the issue and a link to it (preferably as an embedded link). You will probably keep editing this section as the migration progresses, so don't worry if it's mostly blank for now. 
-
-Here is an example of what this list might look like once populated: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55039#outstanding-issues
--->
-
-### Blockers
- * [ ] ADD_LINK_TO_ISSUE_HERE
-
-### Urgent
- * [ ] 
-
-### Important but not urgent
- * [ ] 
-
-### Nice to have
- * [ ] 
-
- 
-------
-
-/label ~"Open Source" ~movingtogitlab
-/cc @nuritzi 

.gitlab/issue_templates/OSS_Partner.md

+<!-- Please title your issue with the following format: "Project Name | Issue Tracker". -->
+
+## Background
+
+<!-- 
+Please add information here about why your project is considering a migration to GitLab, or why it decided to do so. Include any initial announcements that have been / were made about the decision or status.
+-->
+
+### Goals
+
+<!-- What are some of the goals of your migration to GitLab? Delete this section if you don't want to enumerate goals. -->
+
+## Quick Facts
+
+<!-- Please complete as many items in this list as possible. If you're not sure yet, add "TBD" (To be Decided) or "Unknown" -->
+
+ * **Timeline.** - 
+ * **Product.** - SaaS-Ultimate/Self-Managed-Ultimate or Community Edition
+ * **Project's License.** What kind of OSI-approved license does your project use? 
+
+## Current Tooling and Replacements
+
+<!-- 
+Please fill in the table to give an overview of your current tooling. Here's a description of what to include in each column:  
+
+- Tool: which tool or platform you are currently using
+- Feature: which particular feature you are using in that tool or platform
+- GitLab feature: equivalent GitLab feature (the GitLab team can help fill this in, as well as the info in the next column)
+- GitLab edition: in which GitLab edition (CE or EE) is this feature available? 
+
+Here's an example of a replacements overview from one of the projects which migrated to GitLab:  https://gitlab.com/gitlab-org/gitlab/-/issues/25657#gitlab-replacements
+
+Consider deleting the table below if you are unable to expand upon your current tooling.
+
+-->
+
+| Tool | Feature | GitLab feature | GitLab edition |
+| --- | --- | --- | --- |
+|  |  |  |  |
+
+## Collaborators
+
+<!-- Please add names of collaborators in the format: Name, Title, Role (what will you be helping to do, or how should you be involved), GitLab username -->
+
+## Related Issues
+
+<!-- Add any related issues that are important for your project by adding the title of the issue and a link to it (preferably as an embedded link). You will probably keep editing this section as the migration progresses, so don't worry if it's mostly blank for now. 
+
+Here is an example of what this list might look like once populated: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55039#outstanding-issues
+-->
+
+### Blockers
+ * [ ] ADD_LINK_TO_ISSUE_HERE
+
+### Urgent
+ * [ ] 
+
+### Important but not urgent
+ * [ ] 
+
+### Nice to have
+ * [ ] 
+
+ 
+------
+
+/label ~"Open Source Partners"
+/cc @nuritzi @greg

.gitlab/issue_templates/Productivity Improvement.md

@@ -34,6 +34,6 @@ after the implementation is merged/deployed/released.
 
 - [ ] The solution improved the situation.
   - If yes, check this box and close the issue. Well done! :tada:
-  - Otherwise, create a new "Productivity Improvement" issue. You can re-use the description from this issue, but obviously another solution should be chosen this time.
+  - Otherwise, create a new "Productivity Improvement" issue. You can re-use the description from this issue, but another solution should be chosen this time.
 
 /label ~"Engineering Productivity" ~meta

.gitlab/issue_templates/Query Performance Investigation.md

@@ -10,6 +10,16 @@ As the name implies, the purpose of the template is to detail underperforming qu
 - [ ] Provide [priority and severity labels](https://about.gitlab.com/handbook/engineering/quality/issue-triage/#availability)
 - [ ] If this requires immediate attention cc `@gitlab-org/database-team` and reach out in the #g_database slack channel
 
+### SQL Statement
+
+```sql
+
+```
+
+### Data from Elastic
+
+Instructions on collecting data from [PostgreSQL slow logs stored in Elasticsearch](https://gitlab.com/gitlab-com/runbooks/-/merge_requests/3361/diffs)
+
 ### Requested Data points
 
 Please provide as many of these fields as possible when submitting a query performance report.
@@ -20,7 +30,6 @@ Please provide as many of these fields as possible when submitting a query perfo
 - Database time relative to total database time
 - Source of calls (Sidekiq, WebAPI, etc)
 - Query ID
-- SQL Statement
 - Query Plan
 - Query Example
 - Total number of calls (relative)

.gitlab/issue_templates/Security developer workflow.md

@@ -10,9 +10,10 @@ Set the title to: `Description of the original issue`
 
 - [ ] Read the [security process for developers] if you are not familiar with it.
   - Verify if the issue you're working on `gitlab-org/gitlab` is confidential, if it's public fix should be placed on GitLab canonical and no backports are required.
-- [ ] Mark this [issue as related] to the Security Release Tracking Issue. You can find it on the topic of the `#releases` Slack channel.
+- [ ] Mark this [issue as linked] to the Security Release Tracking Issue. You can find it on the topic of the `#releases` Slack channel.
 - Fill out the [Links section](#links):
   - [ ] Next to **Issue on GitLab**, add a link to the `gitlab-org/gitlab` issue that describes the security vulnerability.
+- [ ] Add one of the `~severity::x` labels to the issue and all associated merge requests. 
 
 ## Development
 
@@ -64,6 +65,6 @@ After your merge request has been approved according to our [approval guidelines
 [secpick documentation]: https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/utilities/secpick_script.md
 [security Release merge request template]: https://gitlab.com/gitlab-org/security/gitlab/blob/master/.gitlab/merge_request_templates/Security%20Release.md
 [approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
-[issue as related]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#adding-a-related-issue
+[issue as linked]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#add-a-linked-issue
 
 /label ~security

.gitlab/issue_templates/experiment_tracking_template.md

@@ -27,7 +27,7 @@ As well as defining the experiment rollout and cleanup, this issue incorporates
 ### What might happen if this goes wrong?
 
 ### What can we monitor to detect problems with this?
-<!-- Which dashboards from https://dashboards.gitlab.net are most relevant? Sentry errors reports can alse be useful to review -->
+<!-- Which dashboards from https://dashboards.gitlab.net are most relevant? Sentry errors reports can also be useful to review -->
 
 ### Tracked data
 <!-- brief description or link to issue or Sisense dashboard -->
@@ -81,6 +81,7 @@ If applicable, any groups/projects that are happy to have this feature turned on
 - [ ] Announce on the issue that the flag has been enabled
 - [ ] Remove experiment code and feature flag and add changelog entry - a separate [cleanup issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new?issuable_template=Experiment%20Successful%20Cleanup) might be required
 - [ ] After the flag removal is deployed, [clean up the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) by running chatops command in `#production` channel
+- [ ] Assign to the product manager to update the [knowledge base](https://about.gitlab.com/direction/growth/#growth-insights-knowledge-base) (if applicable)
 
 ## Rollback Steps
 

.gitlab/merge_request_templates/New End To End Test.md

@@ -10,7 +10,7 @@ Please link to the respective test case in the testcases project
 - [ ] Note if the test is intended to run in specific scenarios. If a scenario is new, add a link to the MR that adds the new scenario.
 - [ ] Follow the end-to-end tests [style guide](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/style_guide.html) and [best practices](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/best_practices.html).
 - [ ] Use the appropriate [RSpec metadata tag(s)](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/rspec_metadata_tests.html#rspec-metadata-for-end-to-end-tests).
-- [ ] Ensure that a created resource is removed after test execution.
+- [ ] Ensure that a created resource is removed after test execution. A `Group` resource can be shared between multiple tests. Do not remove it unless it has a unique path. Note that we have a cleanup job that periodically removes groups under `gitlab-qa-sandbox-group`.
 - [ ] Ensure that no [transient bugs](https://about.gitlab.com/handbook/engineering/quality/issue-triage/#transient-bugs) are hidden accidentally due to the usage of `waits` and `reloads`.
 - [ ] Verify the tags to ensure it runs on the desired test environments.
 - [ ] If this MR has a dependency on another MR, such as a GitLab QA MR, specify the order in which the MRs should be merged.

.gitlab/merge_request_templates/Quarantine End to End Test.md

+## What does this MR do?
+
+<!--
+Please describe why the end-to-end test is being quarantined/ de-quarantined.
+
+Please note that the aim of quarantining a test is not to get back a green pipeline, but rather to reduce
+the noise (due to constantly failing tests, flaky tests, and so on) so that new failures are not missed.
+-->
+
+
+### E2E Test Failure issue(s)
+
+<!-- Please link to the respective E2E test failure issue. -->
+
+
+### Check-list
+
+- [ ] General code guidelines check-list
+  - [ ] [Code review guidelines](https://docs.gitlab.com/ee/development/code_review.html)
+  - [ ] [Style guides](https://docs.gitlab.com/ee/development/contributing/style_guides.html)
+- [ ] Quarantine test check-list
+  - [ ] Follow the [Quarantining Tests guide](https://about.gitlab.com/handbook/engineering/quality/guidelines/debugging-qa-test-failures/#quarantining-tests).
+  - [ ] Confirm the test has a [`quarantine:` tag with the specified quarantine type](https://about.gitlab.com/handbook/engineering/quality/guidelines/debugging-qa-test-failures/#quarantined-test-types).
+  - [ ] Note if the test should be [quarantined for a specific environment](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/environment_selection.html#quarantining-a-test-for-a-specific-environment).
+- [ ] Dequarantine test check-list
+  - [ ] Follow the [Dequarantining Tests guide](https://about.gitlab.com/handbook/engineering/quality/guidelines/debugging-qa-test-failures/#dequarantining-tests).
+  - [ ] Confirm the test consistently passes on the target GitLab environment(s).
+    - [ ] (Optionally) [Trigger a manual GitLab-QA pipeline](https://about.gitlab.com/handbook/engineering/quality/guidelines/tips-and-tricks/#running-gitlab-qa-pipeline-against-a-specific-gitlab-release) against a specific GitLab environment using the `RELEASE` variable from the `package-and-qa` job of the current merge request.
+- [ ] To ensure a faster turnaround, ask in the `#quality` Slack channel for someone to review and merge the merge request, rather than assigning it directly.
+
+<!-- Base labels. -->
+/label ~"Quality" ~"QA" ~"feature" ~"feature::maintenance"
+
+<!-- Labels to pick into auto-deploy. -->
+/label ~"Pick into auto-deploy" ~"priority::1" ~"severity::1"
+
+<!--
+Choose the stage that appears in the test path, e.g. ~"devops::create" for
+`qa/specs/features/browser_ui/3_create/web_ide/add_file_template_spec.rb`.
+-->
+/label ~devops::
+
+<!-- Select the current milestone. -->
+/milestone %

.haml-lint.yml

@@ -104,22 +104,18 @@ linters:
 
       # These cops should eventually get enabled
       - Cop/LineBreakAfterGuardClauses
-      - Cop/LineBreakAroundConditionalBlock
       - Cop/ProjectPathHelper
+      - Gitlab/FeatureAvailableUsage
       - GitlabSecurity/PublicSend
       - Layout/EmptyLineAfterGuardClause
       - Layout/LeadingCommentSpace
-      - Layout/SpaceAfterColon
-      - Layout/SpaceAfterComma
       - Layout/SpaceAroundOperators
       - Layout/SpaceBeforeBlockBraces
       - Layout/SpaceBeforeComma
       - Layout/SpaceBeforeFirstArg
-      - Layout/SpaceInsideArrayLiteralBrackets
       - Layout/SpaceInsideHashLiteralBraces
       - Layout/SpaceInsideStringInterpolation
       - Layout/TrailingEmptyLines
-      - Lint/BooleanSymbol
       - Lint/LiteralInInterpolation
       - Lint/ParenthesesAsGroupedExpression
       - Lint/RedundantWithIndex
@@ -131,18 +127,14 @@ linters:
       - Rails/LinkToBlank
       - Rails/Presence
       - Rails/RequestReferer
-      - Style/AndOr
       - Style/ColonMethodCall
       - Style/ConditionalAssignment
       - Style/HashSyntax
       - Style/IdenticalConditionalBranches
       - Style/NegatedIf
       - Style/NestedTernaryOperator
-      - Style/Not
       - Style/ParenthesesAroundCondition
-      - Style/RedundantParentheses
       - Style/SelfAssignment
-      - Style/Semicolon
       - Style/TernaryParentheses
       - Style/TrailingCommaInHashLiteral
       - Style/UnlessElse
@@ -150,6 +142,9 @@ linters:
       - Style/WordArray
       - Style/ZeroLengthPredicate
 
+      # WIP See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
+      - Cop/UserAdmin
+
   RubyComments:
     enabled: true
 

.rubocop.yml

@@ -629,3 +629,31 @@ Lint/RedundantSafeNavigation:
 
 Style/ClassEqualityComparison:
   Enabled: true
+
+# WIP See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
+Cop/UserAdmin:
+  Enabled: true
+  Exclude:
+    - 'app/controllers/admin/sessions_controller.rb'
+    - 'app/controllers/concerns/enforces_admin_authentication.rb'
+    - 'app/policies/base_policy.rb'
+    - 'lib/gitlab/auth/current_user_mode.rb'
+    - 'spec/**/*.rb'
+    - 'ee/spec/**/*.rb'
+
+Performance/OpenStruct:
+  Exclude:
+    - 'ee/spec/**/*.rb'
+
+# See https://gitlab.com/gitlab-org/gitlab/-/issues/327495
+Style/RegexpLiteral:
+  Enabled: false
+
+Style/RegexpLiteralMixedPreserve:
+  Enabled: true
+  SupportedStyles:
+    - slashes
+    - percent_r
+    - mixed
+    - mixed_preserve
+  EnforcedStyle: mixed_preserve

.rubocop_todo.yml

@@ -32,24 +32,6 @@ Graphql/IDType:
 Layout/ArgumentAlignment:
   Enabled: false
 
-# Offense count: 11
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyleAlignWith, Severity.
-# SupportedStylesAlignWith: start_of_line, begin
-Layout/BeginEndAlignment:
-  Exclude:
-    - 'app/controllers/groups/shared_projects_controller.rb'
-    - 'app/workers/concerns/reactive_cacheable_worker.rb'
-    - 'ee/app/services/security/token_revocation_service.rb'
-    - 'ee/lib/gitlab/analytics/cycle_analytics/summary/group/deploy.rb'
-    - 'ee/lib/gitlab/ci/config/entry/vault/secret.rb'
-    - 'lib/api/internal/base.rb'
-    - 'lib/atlassian/jira_connect/serializers/build_entity.rb'
-    - 'lib/gitlab/ci/jwt.rb'
-    - 'lib/gitlab/external_authorization/client.rb'
-    - 'lib/gitlab/phabricator_import/project_creator.rb'
-    - 'scripts/gitaly_test.rb'
-
 # Offense count: 54
 # Cop supports --auto-correct.
 # Configuration parameters: AllowAliasSyntax, AllowedMethods.
@@ -94,20 +76,6 @@ Layout/LineLength:
 Layout/MultilineOperationIndentation:
   Enabled: false
 
-# Offense count: 11
-# Cop supports --auto-correct.
-Layout/RescueEnsureAlignment:
-  Exclude:
-    - 'app/models/blob_viewer/dependency_manager.rb'
-    - 'app/models/project.rb'
-    - 'app/services/prometheus/proxy_service.rb'
-    - 'app/workers/concerns/reactive_cacheable_worker.rb'
-    - 'app/workers/delete_stored_files_worker.rb'
-    - 'config/initializers/1_settings.rb'
-    - 'config/initializers/trusted_proxies.rb'
-    - 'lib/api/internal/base.rb'
-    - 'lib/gitlab/highlight.rb'
-
 # Offense count: 53
 # Cop supports --auto-correct.
 Layout/SpaceAroundMethodCallOperator:
@@ -202,21 +170,6 @@ Lint/MixedRegexpCaptureTypes:
 Lint/RedundantCopDisableDirective:
   Enabled: false
 
-# Offense count: 9
-# Cop supports --auto-correct.
-# Configuration parameters: AllowedMethods.
-# AllowedMethods: instance_of?, kind_of?, is_a?, eql?, respond_to?, equal?
-Lint/RedundantSafeNavigation:
-  Exclude:
-    - 'app/controllers/concerns/labels_as_hash.rb'
-    - 'app/policies/note_policy.rb'
-    - 'app/services/users/update_canonical_email_service.rb'
-    - 'ee/app/presenters/iteration_presenter.rb'
-    - 'ee/app/services/ee/members/destroy_service.rb'
-    - 'ee/lib/ee/gitlab/email/handler/reply_processing.rb'
-    - 'qa/qa/specs/helpers/quarantine.rb'
-    - 'spec/controllers/boards/issues_controller_spec.rb'
-
 # Offense count: 1
 Lint/SelfAssignment:
   Exclude:
@@ -255,12 +208,6 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Max: 25
 
-# Offense count: 1
-# Cop supports --auto-correct.
-Migration/DepartmentName:
-  Exclude:
-    - 'app/models/commit.rb'
-
 # Offense count: 196
 # Configuration parameters: ExpectMatchingDefinition, CheckDefinitionPathHierarchy, Regex, IgnoreExecutableScripts, AllowedAcronyms.
 # AllowedAcronyms: CLI, DSL, ACL, API, ASCII, CPU, CSS, DNS, EOF, GUID, HTML, HTTP, HTTPS, ID, IP, JSON, LHS, QPS, RAM, RHS, RPC, SLA, SMTP, SQL, SSH, TCP, TLS, TTL, UDP, UI, UID, UUID, URI, URL, UTF8, VM, XML, XMPP, XSRF, XSS
@@ -693,11 +640,6 @@ Rails/WhereEquals:
 Rails/WhereExists:
   Enabled: false
 
-# Offense count: 21
-# Cop supports --auto-correct.
-Rails/WhereNot:
-  Enabled: false
-
 # Offense count: 8
 # Cop supports --auto-correct.
 Security/YAMLLoad:
@@ -903,11 +845,6 @@ Style/Next:
 Style/NumericLiteralPrefix:
   Enabled: false
 
-# Offense count: 140
-# Cop supports --auto-correct.
-Style/ParallelAssignment:
-  Enabled: false
-
 # Offense count: 2698
 # Cop supports --auto-correct.
 # Configuration parameters: PreferredDelimiters.
@@ -922,11 +859,6 @@ Style/RaiseArgs:
   Enabled: false
   EnforcedStyle: exploded
 
-# Offense count: 73
-# Cop supports --auto-correct.
-Style/RedundantAssignment:
-  Enabled: false
-
 # Offense count: 2
 # Cop supports --auto-correct.
 Style/RedundantBegin:
@@ -951,11 +883,6 @@ Style/RedundantFetchBlock:
 Style/RedundantFileExtensionInRequire:
   Enabled: false
 
-# Offense count: 248
-# Cop supports --auto-correct.
-Style/RedundantFreeze:
-  Enabled: false
-
 # Offense count: 206
 # Cop supports --auto-correct.
 Style/RedundantInterpolation:
@@ -985,20 +912,6 @@ Style/RedundantRegexpEscape:
 Style/RedundantSelf:
   Enabled: false
 
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/RedundantSelfAssignment:
-  Exclude:
-    - 'app/models/concerns/issuable.rb'
-    - 'spec/db/schema_spec.rb'
-
-# Offense count: 213
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, AllowInnerSlashes.
-# SupportedStyles: slashes, percent_r, mixed
-Style/RegexpLiteral:
-  Enabled: false
-
 # Offense count: 53
 # Cop supports --auto-correct.
 Style/RescueModifier:

CHANGELOG.md

@@ -571,6 +571,43 @@ entry.
 - Convert mattermost alert to pajamas. !56556
 
 
+## 13.9.6 (2021-04-13)
+
+### Security (2 changes)
+
+- Clean only legitimate JPG and TIFF files.
+- Update ruby-saml and rexml gems.
+
+
+## 13.9.5 (2021-03-31)
+
+### Security (6 changes)
+
+- Leave pool repository on fork unlinking.
+- Fixed XSS in merge requests sidebar.
+- Fix arbitrary read/write in AsciiDoctor and Kroki gems.
+- Prevent infinite loop when checking if collaboration is allowed.
+- Disable arbitrary URI and file reads in JSON validator.
+- Require POST request to trigger system hooks.
+
+### Removed (1 change)
+
+- Make HipChat project service do nothing. !57434
+
+### Other (3 changes)
+
+- Remove direct mimemagic dependency. !57387
+- Refactor MimeMagic calls to new MimeType class. !57421
+- Switch to using a fake mimemagic gem. !57443
+
+
+## 13.9.4 (2021-03-17)
+
+### Security (1 change)
+
+- Patch Kramdown syntax highlighter gem.
+
+
 ## 13.9.3 (2021-03-08)
 
 ### Fixed (4 changes)
@@ -1179,6 +1216,42 @@ entry.
 - Apply new GitLab UI for buttons in pipeline schedules.
 
 
+## 13.8.8 (2021-04-13)
+
+### Security (2 changes)
+
+- Clean only legitimate JPG and TIFF files.
+- Update ruby-saml and rexml gems.
+
+
+## 13.8.7 (2021-03-31)
+
+### Security (5 changes)
+
+- Fixed XSS in merge requests sidebar.
+- Leave pool repository on fork unlinking.
+- Fix arbitrary read/write in AsciiDoctor and Kroki gems.
+- Prevent infinite loop when checking if collaboration is allowed.
+- Require POST request to trigger system hooks.
+
+### Removed (1 change)
+
+- Make HipChat project service do nothing. !57434
+
+### Other (3 changes)
+
+- Remove direct mimemagic dependency. !57387
+- Refactor MimeMagic calls to new MimeType class. !57421
+- Switch to using a fake mimemagic gem. !57443
+
+
+## 13.8.6 (2021-03-17)
+
+### Security (1 change)
+
+- Patch Kramdown syntax highlighter gem.
+
+
 ## 13.8.5 (2021-03-04)
 
 ### Security (6 changes)
@@ -1591,6 +1664,13 @@ entry.
 - Add verbiage + link sast to show it's in core. !51935
 
 
+## 13.7.9 (2021-03-17)
+
+### Security (1 change)
+
+- Patch Kramdown syntax highlighter gem.
+
+
 ## 13.7.8 (2021-03-04)
 
 ### Security (5 changes)

GITALY_SERVER_VERSION

-13.10.3
\ No newline at end of file
+88b95248f53231b8fc7f06070773df7dfb0ddcb7

GITLAB_KAS_VERSION

-13.9.1
+13.11.1

GITLAB_PAGES_VERSION

-1.36.0
+1.38.0

README.md

@@ -80,7 +80,7 @@ GitLab is a Ruby on Rails application that runs on the following software:
 
 - Ubuntu/Debian/CentOS/RHEL/OpenSUSE
 - Ruby (MRI) 2.7.2
-- Git 2.24+
+- Git 2.31+
 - Redis 4.0+
 - PostgreSQL 11+
 

Rakefile

@@ -4,6 +4,8 @@
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
 
+Rake::TaskManager.record_task_metadata = true
+
 require File.expand_path('config/application', __dir__)
 
 relative_url_conf = File.expand_path('config/initializers/relative_url', __dir__)

app/assets/images/learn_gitlab/section_plan.svg

+<svg width="40" height="40" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M3.343 6c.82 0 1.516.145 1.968.34.198.085.315.165.375.218v31.441a1.45 1.45 0 01-.375.218c-.452.195-1.148.34-1.968.34-.82 0-1.516-.145-1.968-.34A1.45 1.45 0 011 37.999V6.558c.06-.053.177-.133.375-.218C1.827 6.145 2.523 6 3.343 6z" fill="#EFEDF8" stroke="#6E49CB" stroke-width="2"/><path fill-rule="evenodd" clip-rule="evenodd" d="M6.686 6.41l21.724 6.692c2.085.642 2.122 1.774.095 2.523L6.686 23.69V6.412z" fill="#6E49CB"/></svg>
\ No newline at end of file

app/assets/images/learn_gitlab/section_workspace.svg

+<svg width="40" height="40" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M14.544 6.44C14.816 5.58 15.581 5 16.442 5h1.116c.861 0 1.626.58 1.898 1.44l1.05 3.32c.744.238 1.456.55 2.13.93l2.974-1.566c.77-.405 1.7-.247 2.309.394l.79.832c.608.64.76 1.62.374 2.43l-1.486 3.131c.359.71.656 1.46.882 2.243l3.153 1.106c.817.287 1.368 1.091 1.368 1.998v1.176c0 .906-.55 1.71-1.368 1.998l-3.153 1.106a12.936 12.936 0 01-.882 2.242l1.486 3.131c.385.81.234 1.79-.374 2.43l-.79.832c-.609.641-1.539.8-2.309.395l-2.973-1.566c-.675.379-1.387.692-2.13.93l-1.051 3.32c-.272.86-1.037 1.44-1.898 1.44h-1.116c-.861 0-1.626-.58-1.898-1.44l-1.05-3.32a11.604 11.604 0 01-2.13-.93L8.39 34.569c-.77.406-1.7.247-2.309-.395l-.79-.831a2.189 2.189 0 01-.374-2.43l1.487-3.131c-.36-.71-.657-1.46-.883-2.243l-3.153-1.106C1.55 24.145 1 23.34 1 22.434v-1.176c0-.906.55-1.711 1.368-1.998l3.153-1.106c.226-.783.523-1.533.883-2.243l-1.487-3.13a2.19 2.19 0 01.374-2.431l.79-.832c.609-.64 1.539-.8 2.309-.394l2.973 1.565a11.599 11.599 0 012.13-.93l1.051-3.32zM17 30.269c4.418 0 8-3.771 8-8.423s-3.582-8.423-8-8.423-8 3.771-8 8.423 3.582 8.423 8 8.423z" fill="#EFEDF8" stroke="#6E49CB" stroke-width="2"/><path d="M17 27.11c2.762 0 5-2.357 5-5.264 0-2.908-2.238-5.265-5-5.265-2.76 0-5 2.357-5 5.265 0 2.907 2.24 5.264 5 5.264z" stroke="#6E49CB" stroke-linecap="round"/></svg>
\ No newline at end of file

app/assets/javascripts/admin/statistics_panel/constants.js

@@ -3,7 +3,7 @@ import { s__ } from '~/locale';
 const statisticsLabels = {
   forks: s__('AdminStatistics|Forks'),
   issues: s__('AdminStatistics|Issues'),
-  mergeRequests: s__('AdminStatistics|Merge Requests'),
+  mergeRequests: s__('AdminStatistics|Merge requests'),
   notes: s__('AdminStatistics|Notes'),
   snippets: s__('AdminStatistics|Snippets'),
   sshKeys: s__('AdminStatistics|SSH Keys'),