Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/reports.gitlab-ci.yml

@@ -20,7 +20,7 @@ code_quality:
   variables:
     DOCKER_DRIVER: overlay2
     DOCKER_TLS_CERTDIR: ""
-    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.9"
+    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.9"
   script:
     - |
       if ! docker info &>/dev/null; then

app/controllers/groups/settings/ci_cd_controller.rb

@@ -7,7 +7,7 @@ module Groups
       before_action :authorize_admin_group!
       before_action :authorize_update_max_artifacts_size!, only: [:update]
       before_action do
-        push_frontend_feature_flag(:new_variables_ui, @group, default_enabled: true)
+        push_frontend_feature_flag(:new_variables_ui, @group)
       end
       before_action :define_variables, only: [:show, :create_deploy_token]
 

app/controllers/projects/settings/ci_cd_controller.rb

@@ -6,7 +6,7 @@ module Projects
       before_action :authorize_admin_pipeline!
       before_action :define_variables
       before_action do
-        push_frontend_feature_flag(:new_variables_ui, @project, default_enabled: true)
+        push_frontend_feature_flag(:new_variables_ui, @project)
       end
 
       def show

app/finders/award_emojis_finder.rb

@@ -41,7 +41,7 @@ class AwardEmojisFinder
   def validate_name_param
     return unless params[:name]
 
-    raise ArgumentError, 'Invalid name param' unless params[:name].in?(Gitlab::Emoji.emojis_names)
+    raise ArgumentError, 'Invalid name param' unless params[:name].to_s.in?(Gitlab::Emoji.emojis_names)
   end
 
   def validate_awarded_by_param

app/models/concerns/usage_statistics.rb

+# frozen_string_literal: true
+
+module UsageStatistics
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def distinct_count_by(column = nil, fallback = -1)
+      distinct.count(column)
+    rescue ActiveRecord::StatementInvalid
+      fallback
+    end
+  end
+end

app/models/discussion.rb

@@ -14,6 +14,7 @@ class Discussion
             :author,
             :noteable,
             :commit_id,
+            :confidential?,
             :for_commit?,
             :for_merge_request?,
             :noteable_ability_name,

app/models/note.rb

@@ -320,6 +320,13 @@ class Note < ApplicationRecord
     super(noteable_type.to_s.classify.constantize.base_class.to_s)
   end
 
+  def noteable_assignee_or_author?(user)
+    return false unless user
+    return noteable.assignee_or_author?(user) if [MergeRequest, Issue].include?(noteable.class)
+
+    noteable.author_id == user.id
+  end
+
   def special_role=(role)
     raise "Role is undefined, #{role} not found in #{SpecialRole.values}" unless SpecialRole.value?(role)
 
@@ -337,7 +344,7 @@ class Note < ApplicationRecord
   end
 
   def confidential?
-    noteable.try(:confidential?)
+    confidential || noteable.try(:confidential?)
   end
 
   def editable?

app/models/zoom_meeting.rb

 # frozen_string_literal: true
 
 class ZoomMeeting < ApplicationRecord
+  include UsageStatistics
+
   belongs_to :project, optional: false
   belongs_to :issue, optional: false
 
@@ -23,10 +25,4 @@ class ZoomMeeting < ApplicationRecord
   def self.canonical_meeting_url(issue)
     canonical_meeting(issue)&.url
   end
-
-  def self.distinct_count_by(column = nil, fallback = -1)
-    distinct.count(column)
-  rescue ActiveRecord::StatementInvalid
-    fallback
-  end
 end

app/policies/note_policy.rb

 # frozen_string_literal: true
 
 class NotePolicy < BasePolicy
+  include Gitlab::Utils::StrongMemoize
+
   delegate { @subject.resource_parent }
   delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
 
@@ -13,6 +15,12 @@ class NotePolicy < BasePolicy
 
   condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) }
 
+  condition(:confidential, scope: :subject) { @subject.confidential? }
+
+  condition(:can_read_confidential) do
+    access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user)
+  end
+
   rule { ~editable }.prevent :admin_note
 
   # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -39,4 +47,37 @@ class NotePolicy < BasePolicy
   rule { is_noteable_author }.policy do
     enable :resolve_note
   end
+
+  rule { confidential & ~can_read_confidential }.policy do
+    prevent :read_note
+    prevent :admin_note
+    prevent :resolve_note
+    prevent :award_emoji
+  end
+
+  def parent_namespace
+    strong_memoize(:parent_namespace) do
+      next if @subject.is_a?(PersonalSnippet)
+      next @subject.noteable.group if @subject.noteable&.is_a?(Epic)
+
+      @subject.project
+    end
+  end
+
+  def access_level
+    return -1 if @user.nil?
+    return -1 unless parent_namespace
+
+    lookup_access_level!
+  end
+
+  def lookup_access_level!
+    return ::Gitlab::Access::REPORTER if alert_bot?
+
+    if parent_namespace.is_a?(Project)
+      parent_namespace.team.max_member_access(@user.id)
+    else
+      parent_namespace.max_member_access_for_user(@user)
+    end
+  end
 end

app/services/users/build_service.rb

@@ -28,9 +28,7 @@ module Users
         end
       end
 
-      unless identity_params.empty?
-        user.identities.build(identity_params)
-      end
+      build_identity(user)
 
       user
     end
@@ -41,6 +39,12 @@ module Users
       [:extern_uid, :provider]
     end
 
+    def build_identity(user)
+      return if identity_params.empty?
+
+      user.identities.build(identity_params)
+    end
+
     def can_create_user?
       (current_user.nil? && Gitlab::CurrentSettings.allow_signup?) || current_user&.admin?
     end

app/views/ci/variables/_index.html.haml

@@ -5,7 +5,7 @@
     - link_start = '<a href="%{url}">'.html_safe % { url: help_page_path('ci/variables/README', anchor: 'protected-variables') }
     = s_('Environment variables are configured by your administrator to be %{link_start}protected%{link_end} by default').html_safe % { link_start: link_start, link_end: '</a>'.html_safe }
 
-- if Feature.enabled?(:new_variables_ui, @project || @group, default_enabled: true)
+- if Feature.enabled?(:new_variables_ui, @project || @group)
   - is_group = !@group.nil?
 
   #js-ci-project-variables{ data: { endpoint: save_endpoint, project_id: @project&.id || '', group: is_group.to_s, maskable_regex: ci_variable_maskable_regex} }

changelogs/unreleased/210335-fix-handling-of-numeric-emoji-names.yml

+---
+title: Fix backend validation of numeric emoji names
+merge_request: 27101
+author:
+type: fixed

changelogs/unreleased/ci-variables-ui-turn-on-ff.yml

----
-title: Set new_variables_ui feature flag default value to true
-merge_request: 25731
-author:
-type: added

changelogs/unreleased/mo-use-new-code-quality-image.yml

+---
+title: Use new codequality docker image from ci-cd group
+merge_request: 27098
+author:
+type: other

doc/development/contributing/issue_workflow.md

@@ -287,12 +287,12 @@ This label documents the planned timeline & urgency which is used to measure aga
 Severity labels help us clearly communicate the impact of a ~bug on users.
 There can be multiple facets of the impact. The below is a guideline.
 
-| Label | Meaning           | Functionality                                         | Affected Users                   | GitLab.com Availability                            | Performance Degradation      |
-|-------|-------------------|-------------------------------------------------------|----------------------------------|----------------------------------------------------|------------------------------|
-| ~S1   | Blocker           | Unusable feature with no workaround, user is blocked  | Impacts 50% or more of users     | Outage, Significant impact on all of GitLab.com    |                                                       |
-| ~S2   | Critical Severity | Broken Feature, workaround too complex & unacceptable | Impacts between 25%-50% of users | Significant impact on large portions of GitLab.com | Degradation is guaranteed to occur in the near future |
-| ~S3   | Major Severity    | Broken feature with an acceptable workaround          | Impacts up to 25% of users       | Limited impact on important portions of GitLab.com | Degradation is likely to occur in the near future     |
-| ~S4   | Low Severity      | Functionality inconvenience or cosmetic issue         | Impacts less than 5% of users    | Minor impact on GitLab.com                         | Degradation _may_ occur but it's not likely           |
+| Label | Meaning           | Functionality                                         | Affected Users                   | GitLab.com Availability                            | Performance Degradation                               | API/Web Response time[^1]  |
+|-------|-------------------|-------------------------------------------------------|----------------------------------|----------------------------------------------------|-------------------------------------------------------|----------------------------|
+| ~S1   | Blocker           | Unusable feature with no workaround, user is blocked  | Impacts 50% or more of users     | Outage, Significant impact on all of GitLab.com    |                                                       | Above 9000ms to timing out |
+| ~S2   | Critical Severity | Broken Feature, workaround too complex & unacceptable | Impacts between 25%-50% of users | Significant impact on large portions of GitLab.com | Degradation is guaranteed to occur in the near future | Between 2000ms and 9000ms  |
+| ~S3   | Major Severity    | Broken feature with an acceptable workaround          | Impacts up to 25% of users       | Limited impact on important portions of GitLab.com | Degradation is likely to occur in the near future     | Between 1000ms and 2000ms  |
+| ~S4   | Low Severity      | Functionality inconvenience or cosmetic issue         | Impacts less than 5% of users    | Minor impact on GitLab.com                         | Degradation _may_ occur but it's not likely           | Between 500ms and 1000ms   |
 
 If a bug seems to fall between two severity labels, assign it to the higher-severity label.
 
@@ -503,3 +503,8 @@ to be involved in some capacity when work begins on the follow-up issue.
 ---
 
 [Return to Contributing documentation](index.md)
+
+[^1]: Our current response time standard is based on the TTFB P90 results of the
+      GitLab Performance Tool (GPT) being run against the 10k-user reference
+      environment. This run happens nightly and results are outputted to the
+      [wiki on the GPT project.](https://gitlab.com/gitlab-org/quality/performance/-/wikis/Benchmarks/Latest/10k)

doc/topics/autodevops/index.md

@@ -420,7 +420,7 @@ tests, it's up to you to add them.
 ### Auto Code Quality **(STARTER)**
 
 Auto Code Quality uses the
-[Code Quality image](https://gitlab.com/gitlab-org/security-products/codequality) to run
+[Code Quality image](https://gitlab.com/gitlab-org/ci-cd/codequality) to run
 static analysis and other code checks on the current code. The report is
 created, and is uploaded as an artifact which you can later download and check
 out.

doc/update/README.md

@@ -50,6 +50,7 @@ However, for this to work there are the following requirements:
    migrations](../development/post_deployment_migrations.md) (included in
    zero downtime update steps below).
 - You are using PostgreSQL. Starting from GitLab 12.1, MySQL is not supported.
+- Multi-node GitLab instance. Single-node instances may experience brief interruptions as services restart.
 
 Most of the time you can safely upgrade from a patch release to the next minor
 release if the patch release is not the latest. For example, upgrading from

doc/user/group/epics/index.md

@@ -23,7 +23,7 @@ graph TD
     Parent_epic --> Issue1
     Parent_epic --> Child_epic
     Child_epic --> Issue2
-````
+```
 
 ## Use cases
 
@@ -184,6 +184,8 @@ have a [start or due date](#start-date-and-due-date), a
 
 ![Child epics roadmap](img/epic_view_roadmap_v12_9.png)
 
+---
+
 ## Reordering issues and child epics
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9367) in GitLab 12.5.
@@ -240,6 +242,8 @@ You can always reopen it using the reopen button.
 
 ![reopen epic - button](img/button_reopen_epic.png)
 
+---
+
 ### Using quick actions
 
 You can close or reopen an epic using [Quick actions](../../project/quick_actions.md)
@@ -251,9 +255,12 @@ link in the issue sidebar.
 
 ![containing epic](img/containing_epic.png)
 
+---
+
 ## Promoting an issue to an epic
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/3777) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.6.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/3777) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.6.
+> - In [GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/issues/37081), it was moved to the Premium tier.
 
 If you have [permissions](../../permissions.md) to close an issue and create an
 epic in the parent group, you can promote an issue to an epic with the `/promote`
@@ -276,10 +283,11 @@ The following issue metadata will be copied to the epic:
 
 ## Searching for an epic from epics list page
 
-> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.5.
+> - Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.5.
+> - In [GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/issues/37081), it was moved to the Premium tier.
 
 You can search for an epic from the list of epics using filtered search bar (similar to
-that of Issues and Merge requests) based on following parameters:
+that of Issues and Merge Requests) based on following parameters:
 
 - Title or description
 - Author name / username
@@ -287,22 +295,26 @@ that of Issues and Merge requests) based on following parameters:
 
 ![epics search](img/epics_search.png)
 
-To search, go to the list of epics and click on the field **Search or filter results...**.
+To search, go to the list of epics and click on the field **Search or filter results**.
 It will display a dropdown menu, from which you can add an author. You can also enter plain
 text to search by epic title or description. When done, press <kbd>Enter</kbd> on your
 keyboard to filter the list.
 
 You can also sort epics list by:
 
-- **Created date**
-- **Last updated**
-- **Start date**
-- **Due date**
+- Created date
+- Last updated
+- Start date
+- Due date
 
-Each option contains a button that can toggle the order between **ascending** and **descending**. The sort option and order will be persisted to be used wherever epics are browsed including the [roadmap](../roadmap/index.md).
+Each option contains a button that can toggle the order between **Ascending** and **Descending**.
+The sort option and order is saved and used wherever you browse epics, including the
+[Roadmap](../roadmap/index.md).
 
 ![epics sort](img/epics_sort.png)
 
+---
+
 ## Permissions
 
 If you have access to view an epic and have access to view an issue already
@@ -315,7 +327,7 @@ Note that for a given group, the visibility of all projects must be the same as
 the group, or less restrictive. That means if you have access to a group's epic,
 then you already have access to its projects' issues.
 
-You may also consult the [group permissions table](../../permissions.md#group-members-permissions).
+You can also consult the [group permissions table](../../permissions.md#group-members-permissions).
 
 ## Thread
 
@@ -323,20 +335,20 @@ You may also consult the [group permissions table](../../permissions.md#group-me
   These text fields also fully support
   [GitLab Flavored Markdown](../../markdown.md#gitlab-flavored-markdown-gfm).
 
-## Comment, or start a thread
+## Comment or start a thread
 
-Once you wrote your comment, you can either:
+Once you write your comment, you can either:
 
-- Click "Comment" and your comment will be published.
-- Click "Start thread": start a thread within that epic's discussion to discuss specific points.
+- Click **Comment**, and your comment will be published.
+- Click **Start thread**, and you will start a thread within that epic's discussion.
 
 ## Award emoji
 
-- You can [award an emoji](../../award_emojis.md) to that epic or its comments.
+You can [award an emoji](../../award_emojis.md) to that epic or its comments.
 
 ## Notifications
 
-- [Receive notifications](../../profile/notifications.md) for epic events.
+You can [turn on notifications](../../profile/notifications.md) to be alerted about epic events.
 
 <!-- ## Troubleshooting
 

doc/user/markdown.md

@@ -408,7 +408,6 @@ GFM will recognize the following:
 | merge request                   | `!123`                     | `namespace/project!123`                 | `project!123`                  |
 | snippet                         | `$123`                     | `namespace/project$123`                 | `project$123`                  |
 | epic **(ULTIMATE)**             | `&123`                     | `group1/subgroup&123`                   |                                |
-| design **(PREMIUM)**            | `#123[file.jpg]` or `#123["file.png"]` | `group1/subgroup#123[file.png]`         | `project#123[file.png]`         |
 | label by ID                     | `~123`                     | `namespace/project~123`                 | `project~123`                  |
 | one-word label by name          | `~bug`                     | `namespace/project~bug`                 | `project~bug`                  |
 | multi-word label by name        | `~"feature request"`       | `namespace/project~"feature request"`   | `project~"feature request"`    |
@@ -421,6 +420,12 @@ GFM will recognize the following:
 | repository file references      | `[README](doc/README)`     |                                         |                                |
 | repository file line references | `[README](doc/README#L13)` |                                         |                                |
 
+In addition to this, links to some objects are also recognized and formatted. Some examples of these are:
+
+- Comments on issues: `"https://gitlab.com/gitlab-org/gitlab/-/issues/1234#note_101075757"`, which will be rendered as `#1234 (note1)`
+- The issues designs tab: `"https://gitlab.com/gitlab-org/gitlab/issues/1234/designs"`, which will be rendered as `#1234 (designs)`.
+  **(PREMIUM)**
+
 ### Task lists
 
 > If this is not rendered correctly, [view it in GitLab itself](https://gitlab.com/gitlab-org/gitlab/blob/master/doc/user/markdown.md#task-lists).

doc/user/project/issues/design_management.md

@@ -39,13 +39,6 @@ Design Management requires that projects are using
 
 If the requirements are not met, the **Designs** tab displays a message to the user.
 
-### Feature Flags
-
-- Reference Parsing
-
-  Designs support short references in Markdown, but this needs to be enabled by setting
-  the `:design_management_reference_filter_gfm_pipeline` feature flag.
-
 ## Supported files
 
 Files uploaded must have a file extension of either `png`, `jpg`, `jpeg`,
@@ -169,32 +162,3 @@ Different discussions have different badge numbers:
 
 From GitLab 12.5 on, new annotations will be outputted to the issue activity,
 so that everyone involved can participate in the discussion.
-
-## References
-
-GitLab Flavored Markdown supports references to designs. The syntax for this is:
-
-  `#123[file.jpg]` - the issue reference, with the filename in square braces
-
-File names may contain a variety of odd characters, so two escaping mechanisms are supported:
-
-### Quoting
-
-File names may be quoted with double quotation marks, eg:
-
-  `#123["file.jpg"]`
-
-This is useful if, for instance, your filename has square braces in its name. In this scheme, all
-double quotation marks in the file name need to be escaped with backslashes, and backslashes need
-to be escaped likewise:
-
-  `#123["with with \"quote\" marks and a backslash \\.png"]`
-
-### Base64 Encoding
-
-In the case of file names that include HTML elements, you will need to escape these names to avoid
-them being processed as HTML literals. To do this, we support base64 encoding, eg.
-
-  The file `<a>.jpg` can be referenced as `#123[base64:PGE+LmpwZwo=]`
-
-Obviously we would advise against using such filenames.

doc/user/project/issues/index.md

@@ -50,7 +50,8 @@ must be set.
             </ul>
             <li>State</li>
             <ul>
-                <li>Status (open/closed)</li>
+                <li>State (open or closed)</li>
+                <li>Status (On track, Needs attention, or At risk)</li>
                 <li>Confidentiality</li>
                 <li>Tasks (completed vs. outstanding)</li>
             </ul>
@@ -109,8 +110,7 @@ view, you can also make certain changes [in bulk](../bulk_editing.md) to the dis
 For more information, see the [Issue Data and Actions](issue_data_and_actions.md) page
 for a rundown of all the fields and information in an issue.
 
-You can sort a list of issues several ways, including by issue creation date, milestone due date,
-etc. For more information, see the [Sorting and Ordering Issue Lists](sorting_issue_lists.md) page.
+You can sort a list of issues in several ways, for example by issue creation date, milestone due date. For more information, see the [Sorting and Ordering Issue Lists](sorting_issue_lists.md) page.
 
 ### Issue boards
 
@@ -157,12 +157,38 @@ To prevent duplication of issues for the same topic, GitLab searches for similar
 when new issues are being created.
 
 When typing in the title in the **New Issue** page, GitLab searches titles and descriptions
-across all issues the user has access to in the current project. Up 5 similar issues,
+across all issues the user has access to in the current project. Up to five similar issues,
 sorted by most recently updated, are displayed below the title box. Note that this feature
 requires [GraphQL](../../../api/graphql/index.md) to be enabled.
 
 ![Similar issues](img/similar_issues.png)
 
+---
+
+### Status **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/36427) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+To help you track the status of your issues, you can assign a status to each issue to flag work that's progressing as planned or needs attention to keep on schedule:
+
+- `On track` (green)
+- `Needs attention` (amber)
+- `At risk` (red)
+
+!["On track" health status on an issue](img/issue_health_status_v12_9.png)
+
+---
+
+#### Enable issue health status
+
+This feature comes with the `:save_issuable_health_status` feature flag disabled by default. However, in some cases
+this feature is incompatible with old configuration. To turn on the feature while configuration is
+migrated, ask a GitLab administrator with Rails console access to run the following command:
+
+```ruby
+Feature.enable(:save_issuable_health_status)
+```
+
 ## Other Issue actions
 
 - [Create an issue from a template](../../project/description_templates.md#using-the-templates)

doc/user/project/merge_requests/code_quality.md

@@ -16,7 +16,7 @@ Code Quality:
   subscription.
 - Runs in [pipelines](../../../ci/pipelines/index.md) using a Docker image built in the
   [GitLab Code
-  Quality](https://gitlab.com/gitlab-org/security-products/codequality) project using [default Code Climate configurations](https://gitlab.com/gitlab-org/security-products/codequality/-/tree/master/codeclimate_defaults).
+  Quality](https://gitlab.com/gitlab-org/ci-cd/codequality) project using [default Code Climate configurations](https://gitlab.com/gitlab-org/ci-cd/codequality/-/tree/master/codeclimate_defaults).
 - Can make use of a [template](#example-configuration).
 - Is available with [Auto
   DevOps](../../../topics/autodevops/index.md#auto-code-quality-starter).
@@ -135,14 +135,14 @@ code_quality:
         --env SOURCE_CODE="$PWD"
         --volume "$PWD":/code
         --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
+        "registry.gitlab.com/gitlab-org/ci-cd/codequality:$SP_VERSION" /code
   artifacts:
     reports:
       codequality: gl-code-quality-report.json
 ```
 
 In GitLab 12.6, Code Quality switched to the
-[new versioning scheme](https://gitlab.com/gitlab-org/security-products/codequality/-/merge_requests/38).
+[new versioning scheme](https://gitlab.com/gitlab-org/ci-cd/codequality#versioning-and-release-cycle).
 It is highly recommended to include the Code Quality template as shown in the
 [example configuration](#example-configuration), which uses the new versioning scheme.
 If not using the template, the `SP_VERSION` variable can be hardcoded to use the
@@ -162,7 +162,7 @@ code_quality:
         --env SOURCE_CODE="$PWD"
         --volume "$PWD":/code
         --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
+        "registry.gitlab.com/gitlab-org/ci-cd/codequality:$SP_VERSION" /code
   artifacts:
     reports:
       codequality: gl-code-quality-report.json
@@ -184,7 +184,7 @@ code_quality:
         --env SOURCE_CODE="$PWD"
         --volume "$PWD":/code
         --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
+        "registry.gitlab.com/gitlab-org/ci-cd/codequality:$SP_VERSION" /code
   artifacts:
       paths: [gl-code-quality-report.json]
 ```
@@ -216,7 +216,7 @@ The Code Quality job supports environment variables that users can set to
 configure job execution at runtime.
 
 For a list of available environment variables, see
-[Environment variables](https://gitlab.com/gitlab-org/security-products/codequality/blob/master/README.md#environment-variables).
+[Environment variables](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables).
 
 ## Implementing a custom tool
 

lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml

@@ -7,7 +7,7 @@ code_quality:
   variables:
     DOCKER_DRIVER: overlay2
     DOCKER_TLS_CERTDIR: ""
-    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.9"
+    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.9"
   script:
     - |
       if ! docker info &>/dev/null; then

lib/gitlab/sidekiq_middleware/server_metrics.rb

@@ -46,7 +46,7 @@ module Gitlab
           @metrics[:sidekiq_jobs_cpu_seconds].observe(labels, job_thread_cputime)
           @metrics[:sidekiq_jobs_completion_seconds].observe(labels, monotonic_time)
           @metrics[:sidekiq_jobs_db_seconds].observe(labels, ActiveRecord::LogSubscriber.runtime / 1000)
-          @metrics[:sidekiq_jobs_gitaly_seconds].observe(labels, Gitlab::GitalyClient.query_time)
+          @metrics[:sidekiq_jobs_gitaly_seconds].observe(labels, get_gitaly_time(job))
         end
       end
 
@@ -69,6 +69,10 @@ module Gitlab
       def get_thread_cputime
         defined?(Process::CLOCK_THREAD_CPUTIME_ID) ? Process.clock_gettime(Process::CLOCK_THREAD_CPUTIME_ID) : 0
       end
+
+      def get_gitaly_time(job)
+        job.fetch(:gitaly_duration, 0) / 1000.0
+      end
     end
   end
 end

spec/factories/notes.rb

@@ -164,6 +164,10 @@ FactoryBot.define do
       attachment { fixture_file_upload("spec/fixtures/git-cheat-sheet.pdf", "application/pdf") }
     end
 
+    trait :confidential do
+      confidential { true }
+    end
+
     transient do
       in_reply_to { nil }
     end

spec/factories/pages_domains.rb

@@ -7,39 +7,11 @@ FactoryBot.define do
     enabled_until { 1.week.from_now }
 
     certificate do
-      '-----BEGIN CERTIFICATE-----
-MIICGzCCAYSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExB0ZXN0
-LWNlcnRpZmljYXRlMB4XDTE2MDIxMjE0MzIwMFoXDTIwMDQxMjE0MzIwMFowGzEZ
-MBcGA1UEAxMQdGVzdC1jZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEApL4J9L0ZxFJ1hI1LPIflAlAGvm6ZEvoT4qKU5Xf2JgU7/2geNR1qlNFa
-SvCc08Knupp5yTgmvyK/Xi09U0N82vvp4Zvr/diSc4A/RA6Mta6egLySNT438kdT
-nY2tR5feoTLwQpX0t4IMlwGQGT5h6Of2fKmDxzuwuyffcIHqLdsCAwEAAaNvMG0w
-DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxl9WSxBprB0z0ibJs3rXEk0+95AwCwYD
-VR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYPeGNh
-IGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBAGC4T8SlFHK0yPSa+idGLQFQ
-joZp2JHYvNlTPkRJ/J4TcXxBTJmArcQgTIuNoBtC+0A/SwdK4MfTCUY4vNWNdese
-5A4K65Nb7Oh1AdQieTBHNXXCdyFsva9/ScfQGEl7p55a52jOPs0StPd7g64uvjlg
-YHi2yesCrOvVXt+lgPTd
------END CERTIFICATE-----'
+      File.read(Rails.root.join('spec/fixtures/', 'ssl_certificate.pem'))
     end
 
     key do
-      '-----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKS+CfS9GcRSdYSN
-SzyH5QJQBr5umRL6E+KilOV39iYFO/9oHjUdapTRWkrwnNPCp7qaeck4Jr8iv14t
-PVNDfNr76eGb6/3YknOAP0QOjLWunoC8kjU+N/JHU52NrUeX3qEy8EKV9LeCDJcB
-kBk+Yejn9nypg8c7sLsn33CB6i3bAgMBAAECgYA2D26w80T7WZvazYr86BNMePpd
-j2mIAqx32KZHzt/lhh40J/SRtX9+Kl0Y7nBoRR5Ja9u/HkAIxNxLiUjwg9r6cpg/
-uITEF5nMt7lAk391BuI+7VOZZGbJDsq2ulPd6lO+C8Kq/PI/e4kXcIjeH6KwQsuR
-5vrXfBZ3sQfflaiN4QJBANBt8JY2LIGQF8o89qwUpRL5vbnKQ4IzZ5+TOl4RLR7O
-AQpJ81tGuINghO7aunctb6rrcKJrxmEH1whzComybrMCQQDKV49nOBudRBAIgG4K
-EnLzsRKISUHMZSJiYTYnablof8cKw1JaQduw7zgrUlLwnroSaAGX88+Jw1f5n2Lh
-Vlg5AkBDdUGnrDLtYBCDEQYZHblrkc7ZAeCllDOWjxUV+uMqlCv8A4Ey6omvY57C
-m6I8DkWVAQx8VPtozhvHjUw80rZHAkB55HWHAM3h13axKG0htCt7klhPsZHpx6MH
-EPjGlXIT+aW2XiPmK3ZlCDcWIenE+lmtbOpI159Wpk8BGXs/s/xBAkEAlAY3ymgx
-63BDJEwvOb2IaP8lDDxNsXx9XJNVvQbv5n15vNsLHbjslHfAhAbxnLQ1fLhUPqSi
-nNp/xedE1YxutQ==
------END PRIVATE KEY-----'
+      File.read(Rails.root.join('spec/fixtures/', 'ssl_key.pem'))
     end
 
     trait :disabled do

spec/factories/serverless/domain_cluster.rb

@@ -7,39 +7,11 @@ FactoryBot.define do
     creator { create(:user) }
 
     certificate do
-      '-----BEGIN CERTIFICATE-----
-MIICGzCCAYSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExB0ZXN0
-LWNlcnRpZmljYXRlMB4XDTE2MDIxMjE0MzIwMFoXDTIwMDQxMjE0MzIwMFowGzEZ
-MBcGA1UEAxMQdGVzdC1jZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-gYkCgYEApL4J9L0ZxFJ1hI1LPIflAlAGvm6ZEvoT4qKU5Xf2JgU7/2geNR1qlNFa
-SvCc08Knupp5yTgmvyK/Xi09U0N82vvp4Zvr/diSc4A/RA6Mta6egLySNT438kdT
-nY2tR5feoTLwQpX0t4IMlwGQGT5h6Of2fKmDxzuwuyffcIHqLdsCAwEAAaNvMG0w
-DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxl9WSxBprB0z0ibJs3rXEk0+95AwCwYD
-VR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYPeGNh
-IGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBAGC4T8SlFHK0yPSa+idGLQFQ
-joZp2JHYvNlTPkRJ/J4TcXxBTJmArcQgTIuNoBtC+0A/SwdK4MfTCUY4vNWNdese
-5A4K65Nb7Oh1AdQieTBHNXXCdyFsva9/ScfQGEl7p55a52jOPs0StPd7g64uvjlg
-YHi2yesCrOvVXt+lgPTd
------END CERTIFICATE-----'
+      File.read(Rails.root.join('spec/fixtures/', 'ssl_certificate.pem'))
     end
 
     key do
-      '-----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKS+CfS9GcRSdYSN
-SzyH5QJQBr5umRL6E+KilOV39iYFO/9oHjUdapTRWkrwnNPCp7qaeck4Jr8iv14t
-PVNDfNr76eGb6/3YknOAP0QOjLWunoC8kjU+N/JHU52NrUeX3qEy8EKV9LeCDJcB
-kBk+Yejn9nypg8c7sLsn33CB6i3bAgMBAAECgYA2D26w80T7WZvazYr86BNMePpd
-j2mIAqx32KZHzt/lhh40J/SRtX9+Kl0Y7nBoRR5Ja9u/HkAIxNxLiUjwg9r6cpg/
-uITEF5nMt7lAk391BuI+7VOZZGbJDsq2ulPd6lO+C8Kq/PI/e4kXcIjeH6KwQsuR
-5vrXfBZ3sQfflaiN4QJBANBt8JY2LIGQF8o89qwUpRL5vbnKQ4IzZ5+TOl4RLR7O
-AQpJ81tGuINghO7aunctb6rrcKJrxmEH1whzComybrMCQQDKV49nOBudRBAIgG4K
-EnLzsRKISUHMZSJiYTYnablof8cKw1JaQduw7zgrUlLwnroSaAGX88+Jw1f5n2Lh
-Vlg5AkBDdUGnrDLtYBCDEQYZHblrkc7ZAeCllDOWjxUV+uMqlCv8A4Ey6omvY57C
-m6I8DkWVAQx8VPtozhvHjUw80rZHAkB55HWHAM3h13axKG0htCt7klhPsZHpx6MH
-EPjGlXIT+aW2XiPmK3ZlCDcWIenE+lmtbOpI159Wpk8BGXs/s/xBAkEAlAY3ymgx
-63BDJEwvOb2IaP8lDDxNsXx9XJNVvQbv5n15vNsLHbjslHfAhAbxnLQ1fLhUPqSi
-nNp/xedE1YxutQ==
------END PRIVATE KEY-----'
+      File.read(Rails.root.join('spec/fixtures/', 'ssl_key.pem'))
     end
   end
 end

spec/factories/snippets.rb

@@ -48,6 +48,7 @@ FactoryBot.define do
     trait :secret do
       visibility_level { Snippet::PUBLIC }
       secret { true }
+      project { nil }
     end
   end
 end

spec/features/projects/pages_spec.rb

@@ -135,43 +135,11 @@ shared_examples 'pages settings editing' do
 
       context 'when pages are exposed on external HTTPS address', :https_pages_enabled, :js do
         let(:certificate_pem) do
-          <<~PEM
-          -----BEGIN CERTIFICATE-----
-          MIICGzCCAYSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExB0ZXN0
-          LWNlcnRpZmljYXRlMB4XDTE2MDIxMjE0MzIwMFoXDTIwMDQxMjE0MzIwMFowGzEZ
-          MBcGA1UEAxMQdGVzdC1jZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
-          gYkCgYEApL4J9L0ZxFJ1hI1LPIflAlAGvm6ZEvoT4qKU5Xf2JgU7/2geNR1qlNFa
-          SvCc08Knupp5yTgmvyK/Xi09U0N82vvp4Zvr/diSc4A/RA6Mta6egLySNT438kdT
-          nY2tR5feoTLwQpX0t4IMlwGQGT5h6Of2fKmDxzuwuyffcIHqLdsCAwEAAaNvMG0w
-          DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxl9WSxBprB0z0ibJs3rXEk0+95AwCwYD
-          VR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYPeGNh
-          IGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBAGC4T8SlFHK0yPSa+idGLQFQ
-          joZp2JHYvNlTPkRJ/J4TcXxBTJmArcQgTIuNoBtC+0A/SwdK4MfTCUY4vNWNdese
-          5A4K65Nb7Oh1AdQieTBHNXXCdyFsva9/ScfQGEl7p55a52jOPs0StPd7g64uvjlg
-          YHi2yesCrOvVXt+lgPTd
-          -----END CERTIFICATE-----
-          PEM
+          attributes_for(:pages_domain)[:certificate]
         end
 
         let(:certificate_key) do
-          <<~KEY
-          -----BEGIN PRIVATE KEY-----
-          MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKS+CfS9GcRSdYSN
-          SzyH5QJQBr5umRL6E+KilOV39iYFO/9oHjUdapTRWkrwnNPCp7qaeck4Jr8iv14t
-          PVNDfNr76eGb6/3YknOAP0QOjLWunoC8kjU+N/JHU52NrUeX3qEy8EKV9LeCDJcB
-          kBk+Yejn9nypg8c7sLsn33CB6i3bAgMBAAECgYA2D26w80T7WZvazYr86BNMePpd
-          j2mIAqx32KZHzt/lhh40J/SRtX9+Kl0Y7nBoRR5Ja9u/HkAIxNxLiUjwg9r6cpg/
-          uITEF5nMt7lAk391BuI+7VOZZGbJDsq2ulPd6lO+C8Kq/PI/e4kXcIjeH6KwQsuR
-          5vrXfBZ3sQfflaiN4QJBANBt8JY2LIGQF8o89qwUpRL5vbnKQ4IzZ5+TOl4RLR7O
-          AQpJ81tGuINghO7aunctb6rrcKJrxmEH1whzComybrMCQQDKV49nOBudRBAIgG4K
-          EnLzsRKISUHMZSJiYTYnablof8cKw1JaQduw7zgrUlLwnroSaAGX88+Jw1f5n2Lh
-          Vlg5AkBDdUGnrDLtYBCDEQYZHblrkc7ZAeCllDOWjxUV+uMqlCv8A4Ey6omvY57C
-          m6I8DkWVAQx8VPtozhvHjUw80rZHAkB55HWHAM3h13axKG0htCt7klhPsZHpx6MH
-          EPjGlXIT+aW2XiPmK3ZlCDcWIenE+lmtbOpI159Wpk8BGXs/s/xBAkEAlAY3ymgx
-          63BDJEwvOb2IaP8lDDxNsXx9XJNVvQbv5n15vNsLHbjslHfAhAbxnLQ1fLhUPqSi
-          nNp/xedE1YxutQ==
-          -----END PRIVATE KEY-----
-          KEY
+          attributes_for(:pages_domain)[:key]
         end
 
         it 'adds new domain with certificate' do

spec/finders/award_emojis_finder_spec.rb

@@ -20,6 +20,11 @@ describe AwardEmojisFinder do
       )
     end
 
+    it 'does not raise an error if `name` is numeric' do
+      subject = described_class.new(issue_1, { name: 100 })
+      expect { subject.execute }.not_to raise_error
+    end
+
     it 'raises an error if `awarded_by` is invalid' do
       expectation = [ArgumentError, 'Invalid awarded_by param']
 

spec/fixtures/ssl_certificate.pem

+-----BEGIN CERTIFICATE-----
+MIIBrzCCARgCCQDbfQx2zdkNYTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBB0
+ZXN0LWNlcnRpZmljYXRlMCAXDTIwMDMxNjE0MjAzNFoYDzIyMjAwMTI4MTQyMDM0
+WjAbMRkwFwYDVQQDDBB0ZXN0LWNlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQCkvgn0vRnEUnWEjUs8h+UCUAa+bpkS+hPiopTld/YmBTv/aB41
+HWqU0VpK8JzTwqe6mnnJOCa/Ir9eLT1TQ3za++nhm+v92JJzgD9EDoy1rp6AvJI1
+PjfyR1Odja1Hl96hMvBClfS3ggyXAZAZPmHo5/Z8qYPHO7C7J99wgeot2wIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4GBACc+chrTAuvnMBTedc4/dy16pEesK6oGjywYUd/0
+/FBr8Vry7QUXMSgfraza9S0V+JvFvZFqkkOyJKW+m30kThWzyc/2e+BRxTh/QrxP
+0j84QXtmnVtW4jsAwfBBfg78ST27eyp/WhruI6F/kZlXhfAed0RcPbRnbi3yvUPL
+Lo4T
+-----END CERTIFICATE-----

spec/fixtures/ssl_key.pem

+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKS+CfS9GcRSdYSN
+SzyH5QJQBr5umRL6E+KilOV39iYFO/9oHjUdapTRWkrwnNPCp7qaeck4Jr8iv14t
+PVNDfNr76eGb6/3YknOAP0QOjLWunoC8kjU+N/JHU52NrUeX3qEy8EKV9LeCDJcB
+kBk+Yejn9nypg8c7sLsn33CB6i3bAgMBAAECgYA2D26w80T7WZvazYr86BNMePpd
+j2mIAqx32KZHzt/lhh40J/SRtX9+Kl0Y7nBoRR5Ja9u/HkAIxNxLiUjwg9r6cpg/
+uITEF5nMt7lAk391BuI+7VOZZGbJDsq2ulPd6lO+C8Kq/PI/e4kXcIjeH6KwQsuR
+5vrXfBZ3sQfflaiN4QJBANBt8JY2LIGQF8o89qwUpRL5vbnKQ4IzZ5+TOl4RLR7O
+AQpJ81tGuINghO7aunctb6rrcKJrxmEH1whzComybrMCQQDKV49nOBudRBAIgG4K
+EnLzsRKISUHMZSJiYTYnablof8cKw1JaQduw7zgrUlLwnroSaAGX88+Jw1f5n2Lh
+Vlg5AkBDdUGnrDLtYBCDEQYZHblrkc7ZAeCllDOWjxUV+uMqlCv8A4Ey6omvY57C
+m6I8DkWVAQx8VPtozhvHjUw80rZHAkB55HWHAM3h13axKG0htCt7klhPsZHpx6MH
+EPjGlXIT+aW2XiPmK3ZlCDcWIenE+lmtbOpI159Wpk8BGXs/s/xBAkEAlAY3ymgx
+63BDJEwvOb2IaP8lDDxNsXx9XJNVvQbv5n15vNsLHbjslHfAhAbxnLQ1fLhUPqSi
+nNp/xedE1YxutQ==
+-----END PRIVATE KEY-----

spec/lib/gitlab/sidekiq_middleware/server_metrics_spec.rb

@@ -67,7 +67,7 @@ describe Gitlab::SidekiqMiddleware::ServerMetrics do
             allow(Gitlab::Metrics::System).to receive(:monotonic_time).and_return(monotonic_time_before, monotonic_time_after)
             allow(Gitlab::InstrumentationHelper).to receive(:queue_duration_for_job).with(job).and_return(queue_duration_for_job)
             allow(ActiveRecord::LogSubscriber).to receive(:runtime).and_return(db_duration * 1000)
-            allow(Gitlab::GitalyClient).to receive(:query_time).and_return(gitaly_duration)
+            allow(subject).to receive(:get_gitaly_time).and_return(gitaly_duration)
 
             expect(running_jobs_metric).to receive(:increment).with(labels, 1)
             expect(running_jobs_metric).to receive(:increment).with(labels, -1)

spec/lib/gitlab/sidekiq_middleware_spec.rb

@@ -8,6 +8,8 @@ describe Gitlab::SidekiqMiddleware do
     include Sidekiq::Worker
 
     def perform(_arg)
+      Gitlab::SafeRequestStore['gitaly_call_actual'] = 1
+      Gitlab::GitalyClient.query_time = 5
     end
   end
 
@@ -99,6 +101,24 @@ describe Gitlab::SidekiqMiddleware do
       it "passes through server middlewares" do
         worker_class.perform_async(*job_args)
       end
+
+      context "server metrics" do
+        let(:gitaly_histogram) { double(:gitaly_histogram) }
+
+        before do
+          allow(Gitlab::Metrics).to receive(:histogram).and_call_original
+
+          allow(Gitlab::Metrics).to receive(:histogram)
+                                      .with(:sidekiq_jobs_gitaly_seconds, anything, anything, anything)
+                                      .and_return(gitaly_histogram)
+        end
+
+        it "records correct Gitaly duration" do
+          expect(gitaly_histogram).to receive(:observe).with(anything, 5.0)
+
+          worker_class.perform_async(*job_args)
+        end
+      end
     end
   end
 

spec/lib/gitlab/usage_data_spec.rb

@@ -387,6 +387,22 @@ describe Gitlab::UsageData do
           expect(described_class.count(relation, fallback: 15, batch: false)).to eq(15)
         end
       end
+
+      describe '#distinct_count' do
+        let(:relation) { double(:relation) }
+
+        it 'returns the count when counting succeeds' do
+          allow(relation).to receive(:distinct_count_by).and_return(1)
+
+          expect(described_class.distinct_count(relation, batch: false)).to eq(1)
+        end
+
+        it 'returns the fallback value when counting fails' do
+          allow(relation).to receive(:distinct_count_by).and_raise(ActiveRecord::StatementInvalid.new(''))
+
+          expect(described_class.distinct_count(relation, fallback: 15, batch: false)).to eq(15)
+        end
+      end
     end
   end
 end

spec/models/concerns/usage_statistics_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe UsageStatistics do
+  describe '.distinct_count_by' do
+    let_it_be(:issue_1) { create(:issue) }
+    let_it_be(:issue_2) { create(:issue) }
+
+    context 'two records created by the same issue' do
+      let!(:models_created_by_issue) do
+        create(:zoom_meeting, :added_to_issue, issue: issue_1)
+        create(:zoom_meeting, :removed_from_issue, issue: issue_1)
+      end
+
+      it 'returns a count of 1' do
+        expect(::ZoomMeeting.distinct_count_by(:issue_id)).to eq(1)
+      end
+
+      context 'when given no column to count' do
+        it 'counts by :id and returns a count of 2' do
+          expect(::ZoomMeeting.distinct_count_by).to eq(2)
+        end
+      end
+    end
+
+    context 'one record created by each issue' do
+      let!(:model_created_by_issue_1) { create(:zoom_meeting, issue: issue_1) }
+      let!(:model_created_by_issue_2) { create(:zoom_meeting, issue: issue_2) }
+
+      it 'returns a count of 2' do
+        expect(::ZoomMeeting.distinct_count_by(:issue_id)).to eq(2)
+      end
+    end
+
+    context 'the count query times out' do
+      before do
+        allow_next_instance_of(ActiveRecord::Relation) do |instance|
+          allow(instance).to receive(:count).and_raise(ActiveRecord::StatementInvalid.new(''))
+        end
+      end
+
+      it 'does not raise an error' do
+        expect { ::ZoomMeeting.distinct_count_by(:issue_id) }.not_to raise_error
+      end
+
+      it 'returns -1' do
+        expect(::ZoomMeeting.distinct_count_by(:issue_id)).to eq(-1)
+      end
+    end
+  end
+end

spec/models/note_spec.rb

@@ -270,18 +270,35 @@ describe Note do
     end
   end
 
-  describe "confidential?" do
-    it "delegates to noteable" do
-      issue_note = build(:note, :on_issue)
-      confidential_note = build(:note, noteable: create(:issue, confidential: true))
+  describe '#confidential?' do
+    context 'when note is not confidential' do
+      it 'is true when a noteable is confidential' do
+        issue = create(:issue, :confidential)
+        note = build(:note, noteable: issue, project: issue.project)
 
-      expect(issue_note.confidential?).to be_falsy
-      expect(confidential_note.confidential?).to be_truthy
+        expect(note.confidential?).to be_truthy
+      end
+
+      it 'is false when a noteable is not confidential' do
+        issue = create(:issue, confidential: false)
+        note = build(:note, noteable: issue, project: issue.project)
+
+        expect(note.confidential?).to be_falsy
+      end
+
+      it "is falsey when noteable can't be confidential" do
+        commit_note = build(:note_on_commit)
+
+        expect(commit_note.confidential?).to be_falsy
+      end
     end
+    context 'when note is confidential' do
+      it 'is true even when a noteable is not confidential' do
+        issue = create(:issue, confidential: false)
+        note = build(:note, :confidential, noteable: issue, project: issue.project)
 
-    it "is falsey when noteable can't be confidential" do
-      commit_note = build(:note_on_commit)
-      expect(commit_note.confidential?).to be_falsy
+        expect(note.confidential?).to be_truthy
+      end
     end
   end
 
@@ -1230,5 +1247,69 @@ describe Note do
         expect(notes.second.id).to eq(note2.id)
       end
     end
+
+    describe '#noteable_assignee_or_author' do
+      let(:user) { create(:user) }
+      let(:noteable) { create(:issue) }
+      let(:note) { create(:note, project: noteable.project, noteable: noteable) }
+
+      subject { note.noteable_assignee_or_author?(user) }
+
+      shared_examples 'assignee check' do
+        context 'when the provided user is one of the assignees' do
+          before do
+            note.noteable.update(assignees: [user, create(:user)])
+          end
+
+          it 'returns true' do
+            expect(subject).to be_truthy
+          end
+        end
+      end
+
+      shared_examples 'author check' do
+        context 'when the provided user is the author' do
+          before do
+            note.noteable.update(author: user)
+          end
+
+          it 'returns true' do
+            expect(subject).to be_truthy
+          end
+        end
+
+        context 'when the provided user is neither author nor assignee' do
+          it 'returns true' do
+            expect(subject).to be_falsey
+          end
+        end
+      end
+
+      context 'when user is nil' do
+        let(:user) { nil }
+
+        it 'returns false' do
+          expect(subject).to be_falsey
+        end
+      end
+
+      context 'when noteable is an issue' do
+        it_behaves_like 'author check'
+        it_behaves_like 'assignee check'
+      end
+
+      context 'when noteable is a merge request' do
+        let(:noteable) { create(:merge_request) }
+
+        it_behaves_like 'author check'
+        it_behaves_like 'assignee check'
+      end
+
+      context 'when noteable is a snippet' do
+        let(:noteable) { create(:personal_snippet) }
+
+        it_behaves_like 'author check'
+      end
+    end
   end
 end

spec/models/pages_domain_spec.rb

@@ -7,11 +7,6 @@ describe PagesDomain do
 
   subject(:pages_domain) { described_class.new }
 
-  # Locking in date due to cert expiration date https://gitlab.com/gitlab-org/gitlab/-/issues/210557#note_304749257
-  around do |example|
-    Timecop.travel(Time.new(2020, 3, 12)) { example.run }
-  end
-
   describe 'associations' do
     it { is_expected.to belong_to(:project) }
     it { is_expected.to have_many(:serverless_domain_clusters) }
@@ -102,8 +97,8 @@ describe PagesDomain do
     it 'saves validity time' do
       domain.save
 
-      expect(domain.certificate_valid_not_before).to be_like_time(Time.parse("2016-02-12 14:32:00 UTC"))
-      expect(domain.certificate_valid_not_after).to be_like_time(Time.parse("2020-04-12 14:32:00 UTC"))
+      expect(domain.certificate_valid_not_before).to be_like_time(Time.parse("2020-03-16 14:20:34 UTC"))
+      expect(domain.certificate_valid_not_after).to be_like_time(Time.parse("2220-01-28 14:20:34 UTC"))
     end
   end
 

spec/models/zoom_meeting_spec.rb

@@ -151,51 +151,4 @@ describe ZoomMeeting do
       it_behaves_like 'can remove meetings'
     end
   end
-
-  describe '.distinct_count_by' do
-    let(:issue_1) { create(:issue) }
-    let(:issue_2) { create(:issue) }
-
-    context 'two meetings for the same issue' do
-      before do
-        create(:zoom_meeting, issue: issue_1)
-        create(:zoom_meeting, :removed_from_issue, issue: issue_1)
-      end
-
-      it 'returns a count of 1' do
-        expect(described_class.distinct_count_by(:issue_id)).to eq(1)
-      end
-
-      context 'when given no colum to count' do
-        it 'counts by :id and returns a count of 2' do
-          expect(described_class.distinct_count_by).to eq(2)
-        end
-      end
-    end
-
-    context 'one meeting for each issue' do
-      it 'returns a count of 2' do
-        create(:zoom_meeting, issue: issue_1)
-        create(:zoom_meeting, issue: issue_2)
-
-        expect(described_class.distinct_count_by(:issue_id)).to eq(2)
-      end
-    end
-
-    context 'the count query times out' do
-      before do
-        allow_next_instance_of(ActiveRecord::Relation) do |instance|
-          allow(instance).to receive(:count).and_raise(ActiveRecord::StatementInvalid.new(''))
-        end
-      end
-
-      it 'does not raise an error' do
-        expect { described_class.distinct_count_by(:issue_id) }.not_to raise_error
-      end
-
-      it 'returns -1' do
-        expect(described_class.distinct_count_by(:issue_id)).to eq(-1)
-      end
-    end
-  end
 end

spec/policies/note_policy_spec.rb

@@ -238,6 +238,101 @@ describe NotePolicy do
           end
         end
       end
+
+      context 'with confidential notes' do
+        def permissions(user, note)
+          described_class.new(user, note)
+        end
+
+        let(:reporter) { create(:user) }
+        let(:developer) { create(:user) }
+        let(:maintainer) { create(:user) }
+        let(:guest) { create(:user) }
+        let(:non_member) { create(:user) }
+        let(:author) { create(:user) }
+        let(:assignee) { create(:user) }
+
+        before do
+          project.add_reporter(reporter)
+          project.add_developer(developer)
+          project.add_maintainer(maintainer)
+          project.add_guest(guest)
+        end
+
+        shared_examples_for 'confidential notes permissions' do
+          it 'does not allow non members to read confidential notes and replies' do
+            expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          end
+
+          it 'does not allow guests to read confidential notes and replies' do
+            expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          end
+
+          it 'allows reporter to read all notes but not resolve and admin them' do
+            expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji)
+            expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+          end
+
+          it 'allows developer to read and resolve all notes' do
+            expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note)
+            expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note)
+          end
+
+          it 'allows maintainers to read all notes and admin them' do
+            expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          end
+
+          it 'allows noteable author to read and resolve all notes' do
+            expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
+            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note)
+          end
+        end
+
+        context 'for issues' do
+          let(:issue) { create(:issue, project: project, author: author, assignees: [assignee]) }
+          let(:confidential_note) { create(:note, :confidential, project: project, noteable: issue) }
+
+          it_behaves_like 'confidential notes permissions'
+
+          it 'allows noteable assignees to read all notes' do
+            expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
+            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+          end
+        end
+
+        context 'for merge requests' do
+          let(:merge_request) { create(:merge_request, source_project: project, author: author, assignees: [assignee]) }
+          let(:confidential_note) { create(:note, :confidential, project: project, noteable: merge_request) }
+
+          it_behaves_like 'confidential notes permissions'
+
+          it 'allows noteable assignees to read all notes' do
+            expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
+            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+          end
+        end
+
+        context 'for project snippets' do
+          let(:project_snippet) { create(:project_snippet, project: project, author: author) }
+          let(:confidential_note) { create(:note, :confidential, project: project, noteable: project_snippet) }
+
+          it_behaves_like 'confidential notes permissions'
+        end
+
+        context 'for personal snippets' do
+          let(:personal_snippet) { create(:personal_snippet, author: author) }
+          let(:confidential_note) { create(:note, :confidential, project: nil, noteable: personal_snippet) }
+
+          it 'allows snippet author to read and resolve all notes' do
+            expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
+            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note)
+          end
+
+          it 'does not allow maintainers to read confidential notes and replies' do
+            expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          end
+        end
+      end
     end
   end
 end

spec/workers/pages_domain_ssl_renewal_cron_worker_spec.rb

@@ -7,11 +7,6 @@ describe PagesDomainSslRenewalCronWorker do
 
   subject(:worker) { described_class.new }
 
-  # Locking in date due to cert expiration date https://gitlab.com/gitlab-org/gitlab/-/issues/210557#note_304749257
-  around do |example|
-    Timecop.travel(Time.new(2020, 3, 12)) { example.run }
-  end
-
   before do
     stub_lets_encrypt_settings
   end